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Chapter 1 

Introduction 


Under NASA Contract NASl-15528, SRI developed techniques for the for- 
mal specification and verification of reliable operating systems for flight control 
applications. Such operating systems necessarily involve parallel processing ac- 
tivities, both within each processor and between multiple processors. The tech- 
niques available for the specification and verification of such parallel activities 
were very crude and expensive to use. This report describes a new technique for 
the specification of asynchronous parallel activities. 

In previous research, supported by NSF, SRI explored temporal logic as a 
framework for specifying and reasoning about concurrent programs, distributed 
systems, and communications protocols. Previous papers[Schwartz/Melliar-Smith 
81,82, Vogt82a,b] report on efforts to use temporal reasoning primitives to express 
very high-level abstract requirements that a program or system must satisfy. 
Based on experience with those primitives, SRI has developed an interval logic 
more suitable for expressing higher-level temporal properties. 


*This research has received additional support from National Science Foundation Grant MCS- 
8104459. 

tDr. Vogt was on leave from the Hahn-Meitner-Institut, Berlin, Federal Republic of Germany. 



1. Introduction 


The survey paper[Schwartz/Melliar-Smith82] examines how several different 
temporal logic approaches express conceptual requirements for a simple protocol. 
The conclusions were both disappointing and encouraging. On one hand, the 
very abstract temporal requirements provided an elegant statement of minimal be- 
havior for implementation conformance. It was possible to distill a set of require- 
ments expressing the essence of the desired behavior; stating only requirements 
without implementation-constraining expedients. Our intention was to specify 
only the minimum required externally visible behavior, leaving all other aspects 
to lower levels of description. We have argued that only by doing so can one 
gain the necessary measure of confidence that a specification reflects the intuitive 
requirements. Implementation-oriented details, while facilitating verification of 
like implementations, lead to overly detailed and complicated specifications and 
bias implementation strategies. 

While the level of conceptualization of the specifications was satisfactory, 
their expression in temporal logic was rather complex and difficult to understand. 
Because of the relatively low level of the linear-time temporal logic operators ( □ , 
O, Until, Latches-Until, etc.), many higher-level concepts had to be “encoded”. 
To characterize these intervals and any desired properties in temporal logic be- 
comes quite difficult and unwieldy. Intervals in temporal logic are “tail sequence” 
intervals, always extending from the present state through the remainder of the 
computation. Temporal logic operators are always interpreted on the entire tail 
sequence. For this reason, unary □ and O operators cannot be used to specify 
invariance and eventuality properties in bounded intervals. The Until operator, 
which does allow one to identify a future point in the computation, must be com- 
posed to encode indirectly such properties. This quickly leads to a morass of 
embedded Until formulas. 

The impoverished set of temporal abstractions forced the inclusion of state 
components that were not properly part of the specification. These additional 
state components were needed to establish the amount of context necessary to 
express the requirements. Without these components, context could only have 
been achieved by complex nestings of temporal Until constructs to establish a 
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sequence of prior states. The survey paper highlighted how the introduction of 
state simplifies the temporal logic formulas at the expense of increasing the amount 
of “mechanism” in the specification. 

For our goal of minimal specification of internal behavior, the parameterized 
event-sequence temporal specification was the most satisfying, and least read- 
able. The difficulty of establishing context by temporal constraint rather than 
by state function led us to include supplementary state and a slightly lower-level 
specification. 

In this research, we have investigated an interval logic to provide a higher- 
level framework for expressing temporal relationships. A higher-level temporal 
concept that pervades almost all temporal specifications is that of a property 
being true for an interval. The concept of intervals and interval composition 
forms the basic structure of our specification and verification method. This allows 
conceptual requirements to be stated rather directly and intuitively within the 
logic. For the examples considered, this new logic has provided concise and 
workable specifications of the intended semantic requirements. 

An informal introduction of the language and logic follows in Section 2. A 
formal model for the interval logic is given in Section 3, with a selection of valid 
formulas appearing in Section 4. The remainder of the paper contains sample 
specifications and a small proof example. Section 5,6,7, and 8 explore the ap- 
plication of interval logic to queues, a hardware arbiter, a simple communications 
protocol, and a distributed mutual-exclusion algorithm, respectively. Section 9 
concludes with a discussion of the current status of the research. 

Appended to this report are two papers by David Plaisted, a consultant to 
this project, describing a decision procedure for the Interval Logic. 
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Chapter 2 

An Interval Logic 


At the heart of our interval logic are formulas of the form: 

[']<* 

Informally, the meaning of this is: “The next time the interval I can be constructed, 
the formula a will ‘hold’ for that interval.” This interval formula is evaluated 
within the current interval context and is vacuously satisfied if the interval I 
cannot be found. A formula ‘holds’ for an interval if it is satisfied by the interval 
sequence, with the present state being the beginning of the interval. 

The unary □ and O temporal logic operators retain their intuitive meaning 
within interval logic. The formula [ / ]□ a requires that property a must hold 
throughout the interval, while [ / ]Oa expresses the property that sometime 
during the interval /, a must hold. For simple state predicate P, the interval 
formula [ / ]P expresses the requirement that P be true in the first state of the 
interval. 

Interval formulas compose with the other temporal operators to derive higher- 
level properties of intervals. The formula 
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states that the first J interval contained in the next I interval, if found, will have 
property a. The property that all J intervals within interval I have property a 
would be expressed as[/] □ [ / ] a. More globally, the formula □ [ / ] a 
requires all further I intervals to have property a. 

Each interval formula [/]* constrains a to hold only if the interval / can be 
found. Thus only when the context can be established need the interval property 
hold. To require that the interval occur, one could write -i[/] False. If the interval 
is found, the -i inverts the False to True, while if the interval is not found, the 
interval term is vacuously satisfied and then inverted by the t to False. The 
interval language defines the formula */ to mean exactly this. 

Thus far, we have described how to compose properties of intervals without 
discussing how intervals are formed. At the heart of a very general mechanism 
for defining and combining intervals is the notion of an event. An event, defined 
by an interval formula ft, occurs when j3 changes from False to True, i.e., when it 
becomes true. In the simplest case, ft is a predicate on the state, such as x > 5 
or at Dqt. Note that, if the predicate is true in the initial state, the event occurs 
when it changes from False to True, and thus only after the predicate has become 
False. 


Intervals are defined by a simple or composed interval term. The primitive 
interval, from which all intervals are derived, is the event interval. An event, 
defined by ft, denotes the interval of change of length 2 containing the -tft and ft 
states comprising the change. Pictorially, this is represented as 





ft 


event ft 

Two functions, begin and end, operate on intervals to extract unit intervals. 
For interval term /, begin / denotes the unit interval containing the first state of 
interval I. Similarly, end I denotes the unit interval at the end. Application of the 
end function is undefined for infinite intervals. Again, pictorially, the intervals 
selected are 


t a t Dq means that control is at the entry point to the operation Dq. 
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2.1. The Interval Operators =► and «= 

i 

___ _ |_ 

I ! 


beginl 

1 

I 

1 1 


J 




For a P predicate event, the following formulas are valid. 

[ end P ]P 
[ begin P ] 1 P 

[rhr 

2.1 The Interval Operators =» and <= 

Two generic operators exist to derive intervals from interval arguments. We 
take the liberty of overloading these operators to allow zero, one or two interval- 
value arguments. Intuitively, the direction of the operator indicates in which 
direction and in which order the interval endpoints are located. The endpoint at 
the tail of the arrow is first located, followed by a search in the direction of the 
arrow for the second endpoint. A missing parameter causes the related endpoint 
to be that of the outer context. 

The interval term / =>■ denotes the interval commencing at the end of the 
next interval I and extending for the remainder of the outer context. The right 
arrow operator, in effect, locates the first I interval, relative to the outer context, 
and forms the interval from the end of that I interval onward. With only a second 
argument present, => J denotes the interval commencing with the first state of 
the outer context and extending to the end of the first J interval. Thus, 


t r~ i i 

| .. 


L 

endl 

! 


i => 

: 


4 > 

[ 
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2.1. The Interval Operators =» and *= 


J 

r 

, , , ] 

1 t 

end J 

r i 

L J 

l j 


=> J 


The term / => /, with two interval arguments, represents the composition of 
the two definitions. This constructs the interval starting at the end of interval I 
and extending to the end of the next interval J located in the interval I =$. Given 
this definition, the interval formula [ I =* J ]o is equivalent to ['=>][ => J ]o. 
Recall that the formula [ / =» J ]a is vacuously true if the I => J interval cannot 
be found. Pictorially, the interval selected is 


endl 


I => J 

The right arrow operator with no interval arguments selects the entire outer 
context. 

The left arrow operator <= is defined analogously. For interval term / 4= J, 
the first J interval in context is located. From the end of this J interval, the most 
recent I interval is located. The derived interval 1 J begins with end / and ends 
With end/. Thus, 

E ] 

i i < — 1 

I I J 
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2.1. The Interval Operators => and <= 


Similarly, the interval term / 4= selects the interval beginning with the end of the 
last / interval and extending for the remainder of the context. For a context in 
which an interval / occurs an infinite number of times, the formula [ I 4= ] a is 
vacuously true. The interval terms 4= and 4= J are strictly equivalent to =» and 
=> J , respectively. 

The following examples illustrate the use of the interval operators. 

[i = y => y = l8] □ i> z (l) 

□ X > z j 


For the interval beginning with the next event of the variable x becoming 
equal to y and ending with y changing to the value 16, the value of x is asserted 
to remain greater than z. The first state of the interval is thus the state in which 
x is equal to y and the last state is that in which y is next equal to 16. Note that 
the events x = y and y = 16 denote the next changes from x y and y 7^ 16. 

To modify the above requirement to allow x > z to become False as y becomes 
16, one could write 

[ x — y =3 begin (y = 16)] □ x > z (2) 

Nesting interval terms provides a method of expressing more comprehensive 
context requirements. Consider the formula 

[{A=*B)=*C]OD (3) 

4 A ►! 

ABC 
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2.1. The Interval Operators =» and *= 


The formula requires that, if an A event is found, the subsequent B to C interval, 
if found, must sometime satisfy property D. The outer =» operator selects the 
interval commencing at the end of its first argument, in this case, at the end of 
the selected A=* B interval. The interval then extends until the next C event - 
establishing the necessary context. 

In the previous example, the formula was vacuously true if any of the events 
A,B, or C could not be found in the established context. In order to easily express 
a requirement that a particular event or interval must be found if the necessary 
context is established, we introduce an interval term modifier *. For interval term 
/, */ adds an additional requirement that B must be found in the designated 
context. The formula 

[(A=> *B)=>C] OD (4) 

strengthens formula (3) by adding the requirement that, if an A event occurs, a 
subsequent B event must occur. This is equivalent to formula (3) conjoined with 
[ A =► ]*£. 

The * modifier can be applied to an arbitrary interval term. The formula 
[ * (A =* B) => C ] O D, for example, would be equivalent to (3) conjoined 
with or equivalently, *A A [ A => ] *J3. The * modifier adds only 

linguistic expressive power and can be eliminated by a simple reduction (given in 
the Appendix). 

As an example of specifying context for the end of the interval, consider the 
formula 

[A^{B=>C) ] OD (5) 

E sjlJ 

4 4 4 

ABC 

Here, the interval begins with the next occurrence of A and terminates with the 
first C that follows the next B. 
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2.1. The Interval Operators =* and *= 


By modifying formula (3) to begin the interval at the beginning of A=* B, 
i.e., 


[ begin(A => B) => C ] O D 


( 6 ) 


l 

t 

A 



we obtain a requirement similar to that of (5), but allowing events B and C to be 
arbitrarily ordered. 

Introducing the use of backward context, to find the interval A =$ B in the 
context of C, we have 

[ (A => B) 4= C ] O D (7) 


O D 


ABC 

Here the occurrence of the first C event places an endpoint on the context, within 
which the most recent A=* B interval is found. Note the order of search: looking 
forward, the next C is found, then backward for the most recent A, then forward 
for the next 13. Thus, the formula is vacuously true if no B is found between C 
and the most recent A. 

As a last example, consider 

£ begin(A B ) t= C ] O D (8) 


- 11 - 



2. An Interval Logic 


2.2. Parameterized Operations 


' OP 


ABC 

The interval extends back from the first C event to the beginning of the most 
recent A B interval. 


2.2 Parameterized Operations 

Within the language of our interval logic we include the concept of an abstract 
operation. For an abstract operation O , state predicates at O, in O, and afterO are 
defined. These predicates carry the intuitive meanings of being “at the beginning”, 
“within”, and “immediately after” the operation. Formally, w'e use the following 
temporal axiomatization of these state predicates. 

1. [ atO begin afterO J D inO 

2. £ afterO => begin atO ] Q ~ iinO 

3. £ ~ iatO afterO J CD ~ iatO 

4. £ - lafterO => atO J D — lafterO 

Axioms 1 and 2 together define inO to be true exactly from atO to the state 
immediately preceding afterO. Axiom 3 allows atO to be true only at the beginning 
of the operation, and axiom 4 requires that afterO be true only immediately 
following an operation. Note that, in axiom 1 for example, the predicate atO used 
as an event term defines the interval commencing with the entry to the operation. 

The axioms do not imply any specific granularity, duration or mapping of the 
operation symbol to an implementation. Any interpretation of these state predi- 
cate symbols satisfying the above axioms is allowed. In addition, no assumption 
of operation termination is made. To require an operation to always terminate, 
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2.2. Parameterized Operations 


one could state as an axiom 

[atO=> * afterO ]True 

Abstract operations may take entry and result parameters. For an opera- 
tion taking n entry parameters of types 7j, ...,T n , and m result parameters of 
types T n +i, • . • , T n+m , the at and after state predicates are overloaded to include 
parameter values. atO(tq, . . . , w n ) is true in any state in which atO is true and the 
values of the parameters are tq, ... , v n . The predicate after is similarly overloaded. 

As an example of an interval requirement involving parameterized operations, 
consider an operation O with a single entry parameter. To require that this 
parameter increase monotonieally over the call history, one could state 

V a, b □ [ at O(a) => atO(6) ] b > a 

Since a and 6 are free variables, for all a and b such that we can find an interval 
commencing with an atO(a) and ending with an atO(6), 6 must be greater than a. 
Recall that the formula is vacuously true for any choice of a and b such that the 
interval cannot be found. 

It is also useful to be able to designate the next occurrence of the operation 
call, and to bind the parameter values of that call. The event term at O : (a) 
designates the next event atO and binds the free variable a to the value of the 
parameter for that call. Thus the previous requirement constraining all pairs of 
calls, can be restated in terms of successive calls as 

□ [ atO(a) => atO : (b) ] 6 > a 

The requirement is now that for every a, the call atO(a) is followed by a call 
of O whose parameter is greater than a. This parameter binding convention has 
a general reduction, which we omit here. For this specific formula, the reduction 
gives 

□ [ «0(«) =3 ] ( jendatO ]atO(6) ) Z) [ atO > a 
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Chapter 3 

A Formal Model 


In this section we give the syntax and model-theoretic semantics for the 
language of interval logic. 

In the following, we will use a, /?, 7 as logical variables ranging over interval 
formulas and use /, J, K ranging over interval terms. We use P to range over 
atomic predicates and A to range over event terms. 

Summarizing the language of our logic, we have defined the following syn- 
tactic constructs: 

< interval formula> a :: 

P | -i/3 | (3 < propositional connective> 7 ] 

0/3 | UP | */ | [/]/? 

< interval term> I :: 

A | begin/ | end / | 

J =$ K ( with possible omission of one or both arguments) | 
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J *= K ( with possible omission of one or both arguments) 

< event term> A :: a 

As we mentioned earlier, the * interval term modifier is considered as a 
syntactic abbreviation. Rules for its elimination appear in the Appendix. 

For a finite or infinite computation state sequence s, we now define satisfac- 
tion of an interval formula a by s. In defining the model, we use the notation 
s <i,j> to denote the subsequence of s beginning with the i th element of the se- 
quence, and ending with the j th element of the sequence. As a representation for 
an infinite sequence, we use oo as the right endpoint value, as in the subsequence 
s< t \oo>- F° r a finite computation, we extend the last state to form an infinite 
sequence. 

The following model defines, for sequence s and interval formula a, the 
satisfaction relation f= a. We say that a sequence s satisfies formula 

a if s<i,|a|> f= Oi. Since our definition of the satisfaction relation will always 
be referring to portions of the same s sequence, we will refer to s using only its 
subsequence denotation, i.e., as < i,j >[= a. 

The relation < i,j >[= a is defined recursively, based on the structure of 
the formula, as follows: 

< *,/ >f= P = s i h= P (i- e - P is true of the first state of the interval.) 

< i,j >[=-><* = not < i,j >f= a 

< i,j >\= a A f3 = < i,; >(= a and <i,j> \= P 

<i,j>\= Da = Vk£<i,j> < k, y>(=a 

< *,/ >N= Oa = 3 k E< i,j > <k,j>\=a 

<»,y>[=[/]a = 7(1, < i,j >,F) \= a 

±\=a 

The 7 function appearing in the definition of [ / ] a is a interval- valued 
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function from an interval term, an interval, and a direction of search. The 
direction of search is denoted by F for forward or B for backward - logical variable 
d ranges over F and B. The function 7 denotes the interval / found in the < i, j > 
context looking in the direction of search. The function is defined to return the 
null interval value J_ when the interval cannot be constructed. All functions on 
intervals are strict on _|_. By the last clause in the above definition, any formula 
a is satisfied for such a null interval. This serves as a device to define our partial 
correctness semantics for interval formulas. 


For event term a and interval < i, j > we define 


changeset(a,< i,j >) = < 


<k-l,k>\ke< i + l,/ > 

A < k — l,j >|= 
A < k,j >| = a 


-i a > 


to define the set of events a occuring in the interval, each event being the interval 
of change < k — 1, k > in which a changes from false to true. With this we next 
define 


7(a, < i,j >,F) = min(changeset(o, < i, j >) 

7 {a, < i,j >,B) = max(changeset(or, < i,j >) 

We assume min and max functions on sets of (interval-valued) pairs are defined 
in the standard manner (the represented intervals are disjoint). Both min and 
max return _]_ if the set is empty, and max returns J_ for an infinite set. Thus 7 
returns the interval of change for the first or last event a in the interval < i , j > , 
and returns J_ if that interval cannot be found. 

Next we define the interpretation of the interval functions begin and end 


/(begin I, < J, j >,d) = 

< first(7(/, < *,/ >,d)),first(F(/, < *,/ >,</)) > 

/(end/, < i, j >,d) — 

< last(7(/, < i,j >, d)), last(/(7, < ij >,d)) > 
where first(< i,j >)==*, last(< i,j >) — j 

and last(< i, oo >) is defined to return J_. 
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We now define our forward and backward interval construction functions 
through a recursive interpretation for 7 based on the structure of the interval- 
term argument. 

7{=$, < i,j >,d) = 7{<=, < i,j >,d) — < i,j > 

7{I=>, < i,j >,d) = < last(7(/, < i,j >,d)), j > 

7{I<=, < i,j >,d) = < last(J(/, < i,j >,B)), j > 

T(=*J, < i,j >,d) = < i, last(J(/, < i,j >,F)) > 

7{*=J, < i,j >,d) = < i, last(7(/, < ij >,d)) > 


We now derive the semantics of the two argument arrow operators as the 
composition of those above. 

7(I=>J, < i,j >,d) = 7(=>J, T(I=>, < i,j >,d), F) 

7{I*=J, < i,j >,d) = T(It=, T[*=J, < i,j >,d),F) 

This completes our model for interval logic formulas. 

Interval logic specifications are divided into two parts: Init and Axioms. An 
Init portion states properties to be satisifed at (from) the beginning of a com- 
putation, assuming a distinguished starting state. Formally, using distinguished 
(uninterpreted) state predicate start, each interval formula a within the Init clause 
is interpreted as an axiom of the form start D a. The interpretation of start is a 
a methodological concern: the predicate will be mapped to the beginning state of 
the computation sequence when proving that a program satisfies the specification. 
The assumption of a distinguished starting state will allow us to more completely 
characterize correct system or program behavior. 
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Chapter 4 

A Sampling of Valid Formulas 


In this section we present a selection of valid formulas. Our intention here is 
simply to illustrate a style of expression and deduction rather than a more com- 
prehensive list of valid formulas or a complete axiomatization. We are currently 
incorporating a decision procedure for interval logic [Plaisted83] into our STP 
deduction system[Shostak/Schwartz/Melliar-Smith82]. We are therefore more 
concerned about the style of expression than an axiomatization of the language 
or rules of deduction. 

As in the previous section, we use a, /?, 7 as logical variables ranging over 
interval formulas, and I,J,K ranging over interval terms. Additionally, we 
use variables p,a to range over state predicates (not containing any temporal 
operators). 

Interval formulas distribute across intervals, as indicated by the following for- 
mulas. 

VI. [ / ]q A [/]/* = [/](aA/?| 

V 2 . [/]a O [/]/? = [/](aD/3) 

Expressing the fundamental case split in interpreting interval formulas, we have 
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V3. [/]a = ->*I V [ */]a 

defining the formula to be true if either the interval cannot be constructed, or if 
a holds for the constructed interval. Associated with this, we also have 

V4. */ == -i [ / ] False 

V5. *a; ~ 0(na A Oar) 

V6. -i[/]a = [ ♦/J-'cr 

Formula V4 derives the meaning of our interval-eventuality operator in terms of 
an interval formula, while V5 re-expresses this in terms of nested O eventuality. 
Formula V6 defines “pushing” interval formula negation into the interval. 

For an arbitrary interval a, we have the following formulas illustrating the “promotion” 
of noninterval properties to interval properties. 

V7. a = [=> ]a 

V8. Da D □[/=>]« 

Formula V7 expresses the fact that the interval (=*) selects the complete outer 
context, while V8 expresses the fact that any invariant a of the outer context will 
apply in any “tail interval” of the context. A consequence of our basic definition 
of event terms is 

VO. [ a =$ begin - 'Or ] □ tt 

That is, for the interval beginning with a becoming true and extending until just 
prior to a becoming false, a will remain true. 

As properties of how intervals are constructed, we have 

V10. [ beginQ! => ]*/? V £ begin/? => 

Vll. [ a <= /? ]7 = [ =* f3 ][ -i*a ]7 

VI 2. [=>/]-.□*/ 

Formula V10 expresses a fundamental event-ordering property. For two events 
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designated by a and 0, either (1) one or the other event does not occur, (2) a 
occurs before 0, (3) 0 occurs before a, or (4) both occur at the same time. This 
case split is often used to prove properties relating multiple events. 

For nonnested interval terms, formula VI 1 reduces the semantics of our backward 
£= operator to an equivalent expression using the forward => operator. In doing 
this reduction, we employ a nested interval event formula. The embedded (-i*a) 
thus begins when the -i*a formula changes to become true. This will becomes 
true in the first state when one can no longer find another a event - precisely in 
the first a state of the last change to a. Of course this kind of “tricky encoding” 
should be avoided; the backward operator was included in the language to provide 
a higher-level construct to express this! 

Formula V12 expresses the fact that no interval with an upper end point, and 
therefore finite, can contain an unbounded number of J intervals. This follows 
from the fact that the occurrence of an event requires a change in predicate value 
- and thus at least two states. Note that the formula * O a is satisfiable in a 
bounded interval. This would be satisfied by any interval state sequence in which 
o is true in the last state. Thus, the interpretation of □ O as “infinitely often” 
only applies over infinite intervals. 

As basic properties of interval partitioning, we have 

V13. [=*/]□/> A [/=^ ] Dp D Op 

V14. Op 3 [=>/]□/> V [/=*]□/? 

By V13, for any interval term /, if a simple property p is true up to I and is true 
from I onward within the outer context, then p is true throughout the context. 
Typical use of this would be to establish invariance or eventuality properties for 
an interval by showing the properties to hold for portions of the interval. Formula 
VI 4 expresses the dual of this. 
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4. A Sampling of Valid Formulas 


Finally, the following formulas express interval composition. 

V15. [ I => / ] □ p A [ (/=>/) =*> K ] □ p 
D [l=>(J=>K)]Dp 

V16. [ =» (J=$K) ]a A [=>*J]~i*K 
D [=>I<]a 

Formula V15 defines the composition of two intervals (/ =*• J) and ( (I =$ J) => K) 
to form the interval (/ =» (J =» K)). Pictorially, we have 

UiLj 

4 4 

I J 

4 4 4 

I J K 


E Sjl] 

4 4 >1 

I J K 

A nonembedded interval property □ p is thus derived for the interval from I to 
the first K that follows the first J by proving it for the associated I to J and J 
to K intervals. For the case where one can prove that the first K following / also 
follows J , formula V16 allows the simplification of (<=(/=» K)) to (=* K). 
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Chapter 5 

Queue Specifications 


In this section, we illustrate two specifications of queues with asynchronous 
enqueuing and dequeuing operations. We first consider a reliable (normal) queue, 
followed by an unreliable queue. Our queue has only two operations, Enq which 
takes a single parameter value, which it enqueues, and Dq which removes the 
value at the front of the queue and returns that value as its result. We assume in 
this specification that the queue is unbounded, and require that values enqueued 
must be distinct. No assumptions are made about the atomicity of, or temporal 
relationships between, the Enq and Dq operations. These operations can overlap 
in an arbitrary manner. We do assume that at most one instance of the Enq 
and Dq operations will be active at any given time. This avoids a more explicit 
process-naming convention. 

The formula 
Queue. 

[ <= afterDq(fr) ] (*afterDq(a) = *(atEnq(a) atEnq(fc) )) 

expresses the fundamental first-in first-out behavior that characterizes a queue. 
It requires that, for all a and 6, if we dequeue 6, then any other value a will be 
dequeued in the interim if and only if it was enqueued prior to 6. Further axioms 
are needed to express liveness requirements on the two operations. 



5. Queue Specifications 


By exchanging atEnq(o) and atEnq(6) terms in the queue axiom above, yield- 
ing 

Stack. 

[ <= afterDq(6) ](*afterDq(a) = *(atEnq(6) «= atEnq(fl) )) 
one obtains a last-in first-out queue (i.e., stack). 

In preparation for specifying the services of a communication transmission 
medium in Section 7, consider a modification to the queue semantics to allow 
it to be intermittently unreliable. Individual values can be lost from the queue, 
provided that any value enqueued a sufficient number of times will eventually 
be available for dequeuing. This specification allows repeated Enq operations for 
the same value, to permit the value to be reenqueued until it is dequeued. The 
specification is shown in Figure 5-1. 

Init: 

11. [ * (atEnq(a) => atEnq(6)) <= (afterDq(a) => afterDq(6)) ]True 

12. [ => afterDq(a) ] *atEnq(a) 

13. [ atEnq(c) ==> atEnq(c) ]d^cD -i*atEnq(d) 

Al. □ *atEnq A *atDq D *afterDq 

A2. [ atEnq => ] *afterEnq 

Figure 5-1: Specification of an Unreliable Queue, with distinct enqueued items. 


Clause II requires that, for all a and 6, if we dequeue a before dequeuing b then 
we must have previously enqueued those two items in that same order. 


J 


T 

v| 

n 


*Enq(a) *Enq(6) Dq(a) Dq(6) 


Note that a and 6 do not have to be successive items; the clause applies to any 
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5. Queue Specifications 


pair of items. If the values of either a or 6, or both, are such that the value 
is never dequeued then it will not be possible to construct the interval between 
their dequeuings. Note that the clause is vacuously satisfied for any pair of values 
for which this dequeuing interval cannot be found. Clause 12 contributes the 
requirement that values must be enqueued prior to being dequeued. These clauses 
are both predicated on items being dequeued and state that items dequeued must 
have been enqueued in the same order. These two clauses place no constraints on 
items lost and thus never dequeued. 13 here expresses the distinct item constraint: 
repeated Enqs must be consecutive; once some other value is enqueued, it is not 
permissible to return to any prior value. 

Axiom Al now expresses the weak constraint that infinitely repeated Enqs 
will ensure that the Dq operation returns. Items can thus be lost from the queue 
as long as, eventually, an item is retained to be dequeued. Axiom A2 requires only 
that the Enq operation terminate. 
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Chapter 6 

A Self-Timed Systems Specification 


Self-timed logic [Seitz80] was introduced as a means to reduce complexity 
of asynchronous connections between hardware modules. The method is based 
on a request-acknowledgment protocol which guarantees that a module remains 
inactive until it is requested, and that the request remains in place as long as the 
module is required. The correctness of such systems, if properly constructed, is 
independent of the speed of its components. 

In this section, we use interval logic to describe a simple request-acknowledgment 
protocol. Based on these specifications, we define an arbiter module (adapted from 
[SeitzSO] and [Bochmann82]), that determines the order in which two user modules 
obtain access to a shared resource. 


6.1 Request- Acknowledgment Protocol 

The interaction between self-timed modules takes place by a pair of circuits. 
One circuit, indicated by “R” carries the request from the requesting module to the 
responding module (see Figure 6-1). The second circuit indicated by “A” carries 
the acknowledgments in the opposite direction (from the responding module to 
the requesting module). 


6. A Self-Timed Systems Specification 


6.1. Request-Acknowledgment Protocol 



Figure 6-1: Interaction Scheme Between Two Modules 

The request-acknowledgment protocol determines how requests and acknowled- 
gements are exchanged between two interacting modules. Using state predicate 
R to indicate that the request signal is up and A that the acknowledgment 
signal is up, the following figure illustrates the flow of signals in the request- 
acknowledgment protocol. 


R 


A 


-.R 


-.A 


Note that events R and A then designate signal raising, while events -iR and -iA 
designate signal lowering. 

As the figure indicates, after R is set, an acknowledgment signal must occur 
before R can become False again. Note the causality between R and A, requiring 
that the R signal is raised before A. Similarly the acknowledgment signal must 
be False before a request can be initiated, and the A signal cannot be lowered 
until the request has ended. A consequence of these requirements is that a “new” 
request on the same circuit can occur only after the previous acknowledgment has 
ended. Graphically, these specifications of the order of these signal-changes are: 
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6. A Self-Timed Systems Specification 


6.1. Request-Acknowledgment Protocol 


[ -»A A □ R ] 


R 


*A 

E — ———3 


A begin*“iR 

[_ 




begin - iR 


A precise specification of these properties in interval logic is given in Figure 6-2. 

Init. -iR A ~>A 
Al. £ R =* * A ]~ 'A A □ R 
A2. [ A => begin * “>R ]R ADA 

A3. [ beginiR => ] *“iA 

Figure 6-2: Request Acknowledgement Protocol Axioms. 


Axiom 1 expresses a requester requirement that a request signal, only in- 
itiatable when the acknowledgment signal is down, remains up at least until the 
acknowledgment signal is raised. 

For the responder , A2 states that the acknowledgment signal, once raised, 
remains up as long as the request stays up (safety). Axiom A3 requires that, after 
lowering the request signal, the acknowledgment must also be lowered at some 
later time. 

The initial condition indicates that the axioms are implied from a point at 
which a request has been reset. 
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6. A Self-Timed Systems Specification 


6.2. Arbiter 


6.2 Arbiter 

We now give a specification of an arbiter module. The arbiter, adapted from 
[SeitzSO] and [Bochmann82], determines the order in which two user modules 
obtain access to a shared resource module. The arbiter AR interacts with the 
user modules U1/U2, the transfer modules T1/T2, and the resource module RM 
(see Figure 6-3) by the request-acknowledgment protocol described in the previous 
section. 



Figure 6-3: The Arbiter Module and its Interacting Modules 

Assume that a user module, Ul, requests access to the resource RM by raising 
URl. The arbiter grants this access by requesting first the transfer module, Tl, 
and then the resource module - provided it is not currently servicing any other user 
module. Until the arbiter receives acknowledgments from both the transfer module 
and the resource module, it maintains its requests for each of those modules and 
refrains from sending an acknowledgment to the user. The use of the request- 
acknowledgment protocol ensures that pairs of requests and acknowledgments 
be well-behaved - i.e., that both safety and liveness properties expressed in the 
previous subsection will be obeyed. 

The requirements on the signalling order are graphically specified in the 
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6. A Self-Timed Systems Specification 


6.2. Arbiter 


following figure: 



-iRMR A □ TR,- 

□ RMR ] 
1 

[ □ -iUA,- 

L 

J 

] 


—I 4 4 A 

UR,- *TR,- *RMR TA.ARMA 


Init. 

V k -lURfc 


k E {1,2} 

Al. 

[UR,-=>TA,-A 

RMA ] □ --UA,- 

*,/€{ 1,2} 


A [ * TR,- ] □ TR,- 




A -’RMR 




A[ * RMR 

=* ] □ RMR 

A2. 

TR,- D -iTRy 


ije{ 1,2} 



Figure 6-4: Arbiter Axioms 



A precise specification of the arbiter module in interval logic is given in Figure 

6-4. 

Axiom 1 establishes three nested intervals, all ending at the first moment at 
which both TA,- and RMA are true. For the outer interval, from UR,- until TA, 
and RMA, UA must be False throughout the interval and TR,- must be found. For 
the contained interval from TR,-, TR,- must remain true throughout the interval, 
and RMR must be False initially but occur later within the interval. For the inner 
interval, once RMR becomes true it must remain true. 

Similar to the initial condition of the request-acknowledgment protocol, all 
user request signals must start low. 
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Chapter 7 

Protocol Specification 


This section outlines the use of interval logic in the communication protocol 
and service area. When dealing with a communication system, it is of particular 
importance to state the conceptual requirements directly and intuitively. A great 
advantage of the interval-logic approach is its inherent flexibility and the relatively 
high degree of selectivity it offers when choosing suitable state information. To 
illustrate the use and the appropriateness of this language the Alternating Bit 
protocol is selected as an example. This protocol can be considered as a rather 
simple, but not trivial, example of a Data Link layer protocol. (The concept of 
layering is specified in the ISO OSI Basic Reference Model [IS082].) 

7.1 Introduction 

Protocols are defined as a set of rules that determine the required com- 
munication behavior of communicating entities with respect to their functions. 
Communication services are defined as capabilities of communicating entities at 
the user’s service access points [IS082]. 

A service specification defines the services provided by a layer, describing only 
that behavior visible to the users at the layer above. The protocol specification 
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7.2. The AB Protocol Used for Illustration 


refines the service specification in order to define the requirements of each entity 
supporting the service on one layer through interaction with the service of the 
next lower layer. (This principle is illustrated in Figure 7-1.) 


n service 


~ I 

eniliy 

n protocol 
n-l service 

=Z.i = , 

entity 


I 

¥ 



Figure 7-1: Principle of the OSI-Architecture 


As such, a protocol standard imposes (or should impose) sufficient constraints 
to ensure that any implementation that satisfies the standard will uphold con- 
tinued communication between entities. The standard should also be sufficiently 
liberal to allow any implementation that would uphold continued communication 
with other implementations, thus satisfying the standard. Therefore a protocol 
specification should serve as a formal contract between the overall protocol layer 
and each distributed component; any component satisfying its local specification 
should be capable of successfully joining the network. 

The objective of the Data Link layer is to detect and possibly correct errors 
that may occur in the underlying Physical Link layer. For the purpose of this 
paper, only one direction of data transmission of the Alternating Bit (AB) protocol 
is considered. 


7.2 The AB Protocol Used for Illustration 

The AB protocol is used to provide a reliable message communication over 
an unreliable transmission line through repeated transmission. It considers mes- 
sages one at a time and cannot proceed to the next message until it receives 
acknowledgement that its current message has been received correctly. The mes- 
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7. Protocol Specification 


7.2. The AB Protocol Used for Illustration 


sage is placed in a packet with a one-bit sequence number (hence the name of the 
protocol), and an acknowledgment is assumed to consist of the return of the same 
packet (although only the sequence number is really required). Several packets 
may be in transit simultaneously. The protocol recovers successfully from packets 
lost, duplicated, or delayed by the transmission line, as long as no packets arrive 
out of order. We consider only the half-duplex protocol providing unidirectional 
message transfer. 

A refinement of the Data Link layer entities for the AB protocol may consist 
of an input queue and a Sender process as well as a Receiver process and an output 
queue. The structure of such AB protocol entities as illustrated in Figure 7-2. 



Figure 7-2: Structure of AB protocol entities 


The scenario of sending one message can be described by assuming that the 
Sender entity gets a message m by means of Send(m) from the sending user. It 
will be placed in the Sender queue. The Sender process dequeues (through Dq(m)) 
the message and transmits it together with the Sender’s current sequence number 
v as a packet through T a (m,i'). The Receiver entity gets packets by means of 
R r (m,t;). Acknowledgements are sent from the Receiver entity through T r (m,i;) 
and received by the Sender entity by means of R a (m,v). Messages from the 
Receiver process can be stored by means of Enq(m) in the Receiver queue from 
which the receiving user can dequeue it by using Rec(m). 
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7. Protocol Specification 


7.4. Specification of the Service Used and the Service Provided 


7.3 Specification of the Operations 

The abstract operations of the Sender process and the Receiver process are: 

- Dq(m) to obtain the next message to be sent. 

- T a (m,v) to transmit a packet consisting of a message and a sequence number. 

- R s (m,v) to receive an acknowledgement with a sequence number. 

- R,.(m,v) to receive a packet with a message and a sequence number. 

- T r (m,i>) to transmit an acknowledgement containing a sequence number. 

- Enq(w) to add a message in the Receiver queue. 


7.4 Specification of the Service Used and the Service Provided 

The service used defines a service of an unreliable medium and therefore 
subject to loss or corruption of the sent data, but not subject to a reordering of the 
sequence of submitted packets. It is also assumed that, by repeated retransmission 
of a packet, it will be delivered uncorrupted at some time. This characteristic 
is equivalent to the properties of the unreliable queue specified in Section 6. 
Therefore the specification of the service used consists of the mapping of T„ to 
Enq and of R r to Dq , in order to get the unreliable transmission service for the 
packet transmission. The unreliable transmissions of acknowledgements can be 
specified by an analogous mapping of T r and R a to Enq and Dq, respectively. 
Two unreliable queues, one for the packet flow and one for the acknowledgement 
flow, represent the service through which the AB Sender and Receiver processes 
are communicating with each other. 

Similar to the approach taken to specify the unreliable medium, the reliable 
message exchange between two users in the one-way exchange mode has the 
same characteristic as the reliable queue. Therefore a similar mapping as above, 
associating Send with Enq and Rec with Dq , provides the specification for 
the service provided. 
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7. Protocol Specification 


7.5. AB Protocol Specification 


One may also be interested in the service provided by the sublayer consisting 
only of the two processes (based on the same characteristics of the underlying 
medium). In this case only the dequeue and enqueue operations have to be 
considered. It will turn out (with respect to the imposed behavior of the AB 
Sender process and the AB Receiver process described in the following subsections) 
that this service is just the service that could be represented by a one element 
(maximum) queue. For this reason, of course, the AB protocol is not efficient for 
long delay links. 


7.5 AB Protocol Specification 

The protocol specification focuses on the Sender process and the Receiver 
process. 

Consider what requirements one would like to impose on the visible behavior 
of the Sender process as part of a protocol standard. We will assume the following 
requirements are desired: 

1. Sucessive messages must be transmitted in packets having alternating se- 
quence numbers. 

2. The sequence of distinct packets transmitted must follow the sequence of 
messages dequeued. 

3. Having initiated transmission of a packet containing a new message, only that 
message may be transmitted until the first uncorrupted acknowledegement 
with the transmitted sequence number is received. 

4. Having initiated transmission of a message, continued retransmission must 
occur at least until an acknowledgement is received. 

5. If acknowledgements for the last transmitted packet are repeatedly received, 
they must lead to a call to dequeue another message. Any finite number of 
acknowledgements may be ignored. 
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7. Protocol Specification 


7.5. AB Protocol Specification 


6. No packet may be transmitted during a dequeue. (By (5), the acknowl- 
edgement for the last packet must have been noted, prior to the call of de- 
queue, with the next message not yet available.) 

The requirements we assume for the visible behavior of the Receiver process 
are as follows: 

1. Until the next packet is received, acknowledgements may be transmitted 
only for the last packet received. 

2. If packets are received repeatedly, they must eventually be acknowledged. 
Any finite number of packets may be ignored. 

3. In accordance with the Sender requirement that sucessive messages be trans- 
mitted in packets with alternating sequence numbers, the Receiver can deliver 
successive messages only from packets with alternating sequence numbers. 

4. Only messages from received packets are allowed to be delivered. 

5. The message contained in a packet must be delivered before a packet with 
a different sequence number can be acknowledged. Note that this allows the 
Receiver process to store the packets temporarily, since the delivery can occur 
after the reception of a new packet. 

6. Having initiated acknowledgement of a packet, the contained message must 
eventually be delivered. 

For the Sender process: 

Figure 7-3 illustrates the initial property and the three axioms corresponding 
to the above informal requirements. The initial property Init states that no 
transmissions occur before the first dequeue and that, at the time of the first 
dequeue, the value of the expected sequence number has been set to a distinguished 
initial value. 
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7.5. AB Protocol Specification 


Init. [ =* atDq ]->*atT g A [ * atDq =* ]exp = initial 

Al. [ afterDq(m) =» ] exp = V D [ end afterDq ] exp — V 

A [ => atDq ]*afterR g (m, t7) 

A □ [end at T g ]atT g (m, F) 

A2. [ afterDq(m) => ] exp = 0(0 * a fterR g (m, tJ) D *atDq ) 

A “’^atDq I) □ *atT g (m,w) 

A3. inDq 3 ~ 'inT s 


Figure 7-3: Specification of Sender for AB Protocol. 


Rather than use interval expressions to establish temporally the alternation 
of outgoing sequence numbers, we introduce state component exp, indicating 
the expected sequence number. This simplifies our temporal expressions while 
not overly constraining implementation strategy. Note that the value of exp is 
specified only at the time of returns from Dq. 

The three clauses in Axiom Al express the basic safety requirements on the 
Sender. In clause order, they are: 

• After returning from dequeuing a message m with the currently expected 
sequence number v, the expected sequence number will be v (i.e., incremented 
modulo 2) at the time of the next dequeue. 

• At least one uncorrupted acknowledgement with the expected sequence number 
v must be received before the next message can be dequeued. 

• Until the next message is dequeued, only < m,v > packets may be trans- 
mitted. 
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7.5. AB Protocol Specification 


Graphically: 


.. *afterR 5 (rn, t>) . 

[ . . . atT„(m, tT) . . . i 

exp = v exp = v 


afterDq(ttl) atDq afterDq 

The two clauses of Axiom A2 express Sender liveness requirements. After 
returning from dequeuing a message m, with current sequence number v, repeated 
acknowledgents for sequence number v must lead to a request for another message 
from the queue. Furthermore, that the Sender never attempts to dequeue another 
message implies continual retransmission of the current packet < m, v >. 

Axiom A3 expresses a further safety requirement: while the Sender is dequeu- 
ing another message, no packet can be transmitted. 

For the Receiver process: 

Figure 7-4 illustrates the Receiver specification. The initial property is that, 
until receipt of an initial packet, there will be no prior delivery of messages or 
transmission of acknowledgements, and from that receipt onward, transmission of 
the first acknowledgement leads to delivery of the message. Again, we introduce 
a state component exp, defining the current sequence number only at the time of 
a call on Enq. 

Axiom A1 expresses a safety property about acknowledgments: Between 
receiving a packet < m, v > and the next packet receipt, acknowledgements will 
be sent only for sequence number v . 

[ ...T r (m,„)... j 

-I >1 

after R r (m, v) atR r 
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7.5. AB Protocol Specification 


Init. [ => atR r ]-»*atEnq A ”»*atT r (a, 6) 

A [ begin atR r =» ] [ end atT r ]atT r (/, w) Z> [ * end atEnq J atEnq(/) 

A exp = w 

Al. [ afterR r (m, v) =} afterR r ] □ [end atT r ]atT r (m, u) 

A2. □ *afterR r (m, v) D *atT r (m,v) 

A3. [ atEnq =► ] exp = #d[ atEnq => ]exp = v 

A [ => atEnq : ( m ) ] *afterR r (m, u) 

A [ afterR r (p, tJ) => atT r (9, V ) ]*atEnq(p) 

A *atT r (7i, v) D *atEnq(n) 

Figure 7-4: Specification of Receiver for AB Protocol. 


Axiom A2 expresses a liveness property about acknowledgments: If packets 
are received continually, they must eventually be acknowledged. 

Axiom A3 expresses safety properties related to message receipt. The interval 
logic formula combines these requirements in order to exhibit their dependence 
on a common context. In clause order, their contribution is as follows. 

• Delivery of sucessive messages must result from packets with alternating se- 
quence numbers v and v. 

• Delivery of a message must be preceded by its receipt. 

• Having received a packet, the contained message must be delivered before an 
acknowledgement for a packet with a different sequence number is transmitted. 

• Acknowledging a packet n must ensure delivery of its message, but that 
acknowledgement may be transmitted before or after the delivery occurs. 
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after R r (p, v) atT r (fl, v) 
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Chapter 8 

A Specification of Distributed Mutual Exclusion 


The intent of this specification is to ensure exclusive access to a shared critical 
section by some set of processes. Each process is to make an independent decision 
based on a shared global data structure. In stating the specification, we assume a 
state predicate cs(i) which, for process i, indicates that i is in the critical section. 
For a shared global data structure, we assume a state predicate x(i) which, for 
process i, indicates V s intention to enter the critical section. We wish to state 
minimal requirements on the use of state predicate x by a process to ensure mutual 
exclusion. Pictorially we represent the required behavior as follows: 

V; ^ i □ x(i) 

O -«(j) 


*x(») cs(i') 

As shown, an entry of the critical section by process i must be preceded by an 
earlier setting of x(») to true. Throughout this interval x(t) must remain true, and, 
for every other process j, there must be some moment within the interval at which 
x(j) is false. This specification imposes no requirement on the order or frequency 
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of inspecting the x(/)s; it suffices that, at some time during the interval, each x(j) 
is false. Herein lies the basic reason for exclusion. x(») remains true through the 
interval, and no other x(/) can be true for that interval. Thus no other process j 
can find x(?) false between the time that i signals his intention and the time that 
J leaves the critical section (or abandons his claim). The specification does not, 
however, ensure the absence of deadlock. 

Figure 8-1 gives the interval logic specification. Given an initial condition 
in which all processes have relinquished their claims, axiom Al expresses our 
previous pictorial requirement that, if process i enters the critical section, then 
for the interval back to the most recent setting of x(t'), each x(/) must be found 
to be false. Axiom A2 requires that x(t) remains true while i is in the critical 
section. We have not needed to state explicitly that there must be a setting of 
x(i) prior to the entry. Valid formula V5 of section 4 can be used to deduce this 
from the initial assumption and A2. Similarly we can deduce that x(j) remains 
true through that interval. 

From this specification, we now demonstrate the mutual exclusion property 
that henceforth no pair of processes can both be in the critical section at the same 
time, i.e., 

Init. V m -i x(m) 

Al. i j D [x(i) <= cs(j') ] O ->x(;) 

A2. cs(i') D x(*) 

Figure 8-1: Specification of Distributed Mutual Exclusion Algorithm 


Vm ix(m) A J D □ cs (i) A cs(;) ) 

Pictorially, we show that a violation of mutual exclusion, with both processes in 
the critical section, requires that one process enter while the other is already in, 
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or just entering, the critical section. 


cs(?) | -ics(j) 

*cs (/) 

From the axioms, we know that each entry must be preceded by setting of the 
coresponding x. Two situations arise. Either setting x(y) precedes setting x(t), or 
x(j) is set at the same time or after x(t). 


x(j) cs(i) -ics(i) 



x(j) x(j) cs (j) 

(easel) (case2) 

In the first case, since the interval x(i) <= cs(i’) is fully contained in the interval 
x(i) <= cs (/), process i could not have found the required false x(j) in that interval. 
Similarly, in the second case j could not have found x(f) false. Since neither of 
these two situations can arise, the postulated violation of mutual exclusion could 
not occur. 

In interval logic, our proof is given in Figure 8-2. With mechanized decision- 
procedure support in the style of [Shostak/Schwartz/Melliar-Smith82, Plaisted83], 
the only user input necessary, in principle, is instantiation of the free variable 
m in our initial assumption, and of / in step L2. More realistically, the proof 
would likely be decomposed into user-provided steps L2 and L5. The other steps, 
including the major case split expressed in Ll, would follow automatically as part 
of the complete theory. 

Lemma Ll expresses the case split illustrated above, elaborated to include a 
third case in which a process enters and never exits the critical section. To avoid 
considering the symmetric argument of which process enters the critical section 
first, the 
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Ll. Vm-ix(m) 

[ begin( x(/?) *= Cs(k) ) => begin( — iCs(Ar) ]“i*(x(/)i=Cs(/)) 

A V A:, / A 5^ / D □ ^ A - >* _ >cs(Ar) D -i*(x(/)t=cs(/)) 

A [ begin( x(/)) 4= Cs(/) ] ~>*(x(k)$=Cs(k)) 

D □ — >( cs(i) A cs(/)) 

L2. ->x(y) A tVi D □ [ I ]( □ x(i’) D -I*(x(y)<=cs(j)) ) 

L3. [ x(m) «= cs(m) ] □ x(m) 

L4. [ cs(m) =} ][ => begin(-ics(m)) ] □ x(m) 

A -i*-ics(m) D □ x(m) 

L5. [ begin( x(m) <= Cs(m)) ][ [begin(-ics(w)) ] □ x(m) 

A -i*-ics(Ar) D □ x(m) 

Figure 8-2: Proof of the Mutual Exclusion Property. 

antecedent is expressed in terms of quantified k and /. This lemma is valid within 
the interval theory. 

Lemma L2 states that, if x(t) is true throughout an interval /, then it is not 
possible to find the x(;) <f= cs(y) interval. By axiom Al, if the interval were found, 
there would be within it a -ix(») state, contradicting the antecedent. 

Lemmas L3 and L4 state intervals throughout which x(m) is true. Both 
lemmas follow directly from axiom A2. Combining L3 and L4, we obtain lemma 
L5 for the composed interval, from the x(m) preceding entry until the exit if any, 
otherwise indefinitely. 

Instantiating the free interval variable / in L2 with the intervals of L5, we 
use the invariant □ x(m) of L5 to establish the antecedent of the implication in 
L2. We then use the consequent of L2 to establish each of the three cases of Ll, 
thereby establishing the conclusion and completing the proof. 
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Chapter 9 

Analysis and Conclusions 


This report presents a preliminary version of the Interval Logic and illustrates 
its application to several different problem domains. We are reasonably satisfied 
with its success, although we expect further honing of the language as we gain 
more experience with specification and verification attempts. But much remains 
to be done before Interval Logic can be used for the specification and verification of 
operating systems or asynchronous applications programs. The next steps required 
are: 

• The current logic does not distinguish the various concurrent processes of a 
multiprocess system, and does not attribute operations to processes. A notation 
is required to identify processes and to associate operations and state variables 
with processes. 

• A method must be devised for composing together the specifications of in- 
dividual processes, or of small multi process systems, so as to form the specification 
of a larger multiprocess system. 

• Theory and techniques must be developed to allow the hierarchical development 
of specifications in Interval Logic, with temporal mappings between levels of 
abstraction. 


9. Analysis and Conclusions 


• Using these techniques, the semantics of a concurrent programming language 
must be defined. 

• Methods must be developed to use Interval Logic, with the language definition 
and the specification of the required behavior, to develop a concurrent program 
verification method. Taking advantage of the power of Interval Logic to im- 
prove on the efficiency of the current methods will be important if the method 
is to be effective in practical use. 

• Although an initial version of a decision procedure for the Interval Logic has 
been constructed, further investigation of the theory of deciding the logic. 
Work is still required to improve its performance and also to integrate it into 
the Specification and Verification Environment currently under development. 

• Interval Logic lends itself to graphical representation, and we feel that such 
graphical representations can greatly assist in human comprehension of concur- 
rent specifications, which are otherwise difficult to understand. The mechani- 
cal support for such graphical representation, both input and output, requires 
investigation. 

At the heart of the interval logic design is the decision to support a be- 
havioral style of specification and reasoning. A cause/effect style pervades our 
specifications - always of the form “given a particular context, some future be- 
havior of the system must occur”. As discussed in [Schwartz/Melliar-Smith 82 ], 
this form of specification is closer to the intuitive operational understanding of 
requirements, while still managing to avoid details of operational implementa- 
tion. More history-related specifications, capturing a static view of necessary 
relationships between different input/output histories, don’t seem to provide the 
same degree of intuition crucial to understanding and reasoning about a system 
from its specification. 

The decision to base interval formation on “state-change events” was motivated 
by the observation that establishing context almost always required seeing a 
change in state. Without “anchoring” requirements on properties becoming true, 
one often cannot guarantee that the proper interval has been identified. This is 
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particularly true for eventuality properties. 

Two language decisions related to this notion of context establishment are 
the decisions (1) to make interval formulas vacuously true whenever the context 
cannot be established, and (2) to interpret interval formulas as properties of the 
next time the context occurs. Both these decisions support an abstract form of 
operational thinking. Having sufficient expressive power to conveniently establish 
context requirements either temporally or through the use of state components 
proved to be an important method of directing the level of abstraction of the 
specification. 

Based on previous experience with formal specification methods, we do not 
think any specification method for distributed and concurrent systems can be suc- 
cessful without mechanical verification support. The level of process interaction 
makes it only too easy to make incorrect or incomplete analysis of specifications, 
regardless of the amount of human care that is taken. Experience with informal 
proof techniques and unverified specifications have led us to include mechanical 
verification support as a crucial part of any specification language design effort. 
The emphasis in designing the interval logic was to retain decidability in order 
to provide a complete decision procedure. Although interval logic has a complete 
axiomatization, through a reduction to linear-time temporal logic, we do not ex- 
pect anyone to attempt to use the axiomatization in doing a proof. For this reason, 
we chose features on the basis of utility rather than mathematical elegance. 

One direction for further work that may prove extremely fruitful is develop- 
ment of a formal graphical representation of specifications and proofs. The ability 
to represent specifications and proof arguments pictorially could greatly enhance 
intuitive understanding of temporal properties. 

Preliminary analysis of the computational complexity of the logic indicates 
it is P-space complete - the same order of complexity as for linear-time temporal 
logic. We, with David Plaisted playing the primary role, have developed an 
experimental decision procedure for interval logic, described in the attached papers 
by Dr Plaisted. 
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Several other higher-order temporal languages have appeared in the litera- 
ture. Lamport introduced a Timeset language[Lamport80] for defining properties 
of intervals. At the heart of the language proposal are terms of the form [P=* Q), 
denoting the set of all time intervals starting with a state in which property P is 
true and extending to all points such that Q has remained false. Such all-inclusive 
terms make it difficult to avoid capturing unexpected and unwanted contexts, and, 
we believe, result in nonelementary computational complexity. 

Wolper[Wolpcr82] introduced the concept of a regular-expression grammar 
operator into his Extended Temporal Logic (ETL). These grammar operators 
are used to define constraints, in the form of regular expressions, on allowable se- 
quences of parameterized operations. This produces very abstract specifications, 
in much the same style as Hailpern’s[Hailpern80] history-based, linear-time tem- 
poral logic. Wolper’s extension preserves P-space complexity. 

With a somewhat different focus, Moszkowski[Moszkowski82] uses a related 
notion of interval logic to define and prove properties of hardware circuits. Moszkowski 
integrates specification of quantitative bounds into his hardware description lan- 
guage. While our interval logic is oriented toward identifying properties true 
of specified contexts, Mozkowski’s logic provides interval abstraction, that is, 
a method to refer to all intervals having a certain property or decomposition. 

A semicolon operator, similar in spirit to the dynamic logic [Harel79] “chop” 
operator, allows formulas such as [ P ; Q ] to refer to all intervals composed 
from subintervals having properties P and Q. This very powerful concept again 
leads to nonelementary computational complexity. 
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Appendix A. 


Reduction of Formulas Containing * Modifier 


The * modifier in the interval language is regarded as a linguistic convenience. 
Below, we give axioms to reduce a formula containing the * modifier to an equiv- 
alent formula without the modifier. In this section we denote interval terms pos- 
sibly containing the * modifier by / and J. 

We base the reduction on the following equivalence 

[/]a = [/']a A [/]true 

where /' is derived from / by omitting throughout the * modifiers. We also use 
the definition of */ to reduce the eventuality on intervals to an interval formula 

*/ = ^[/] false 

For the outer level of interval structure, we use: 

[*/]true = [=**/]true = */ 

[*/<=]true = *(/<=) 

[begin * /]true = [ * begin/]true 

[end*/] true = [ * end/]true 

and for splitting composite intervals we use: 



A. Reduction of Formulas Containing * Modifier 


[/=*/] true = [/=>][=*/] true 

[/<=/] true = [*=/][/=>] true 

Finally we give reduction rules for the four composite intervals that cannot 
be reduced by simple splitting of an interval. 

[=>(/=>/)] true — [W] true 

[=>(/<=./)] true = [/<=/]true 

[(/=>/)<=] true = [begin( /«;=)=>/] true 

£(/<=■/)*=] true = ^/■^=begin(/'t=)]t rue 
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A Decision Procedure for Combinations 
of Propositional Temporal Logic 
and Other Specialized Theories 


David A. Plaisted 

SRI International, University of Illinois 
Abstract 

We present two decision procedures for formulae of discrete linear time proposi- 
tional temporal logic whose propositional part may include assertions in a specialized 
theory. The combined decision procedures may be viewed as extensions of known 
decision procedures for quantifier-free theories to theories including temporal logic 
connectives. The first runs in polynomial space relative to an oracle for the underly- 
ing theory. The second is more modular but requires the computation of least and 
greatest fixed points and may have a worse asymptotic running time. However, the 
second procedure can handle assertions containing arbitrary mixtures of extralogical 
variables, whose values cannot change with time, and state variables, whose values 
can change with time. The second procedure has been implemented efficiently enough 
to be practical. The same techniques appear to apply to logics other than temporal 
logic which have tableau-like decision procedures. 

This research was supported in part by National Science Foundation Grant MCS-81-09831. 
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1. Introduction 

Various temporal logics have been proposed recently for reasoning about concur- 
rent programs. The advantage of temporal logic is that primitives are available for 
expressing time relationships concisely. The application of temporal logic to concur- 
rent programs is discussed in [6] and [2] and [3]. In [l], temporal logic specifications 
are used to guide the synthesis of programs having the desired behavior. This paper 
makes use of a tableau-like satisfiability algorithm for propositional temporal logic. 
An extension of propositional temporal logic is given in [10] for specifying and syn- 
thesizing programs written in the language of communicating sequential processes 
developed by Hoare. The complexity of deciding satisfiability of propositional tem- 
poral logic formulae is discussed in [9] for several variants of temporal logic. 

In practice, one is often interested in deciding validity or satisfiability of temporal 
formulae involving theories for which specialized decision procedures are available. 
For example, to verify that “Henceforth a > 1 implies eventually a > 0” requires 
reasoning not only about time but also about inequalities and integers. We develop 
a method for deciding the satisfiability (or validity) of such formulae. The method 
we give applies in general to logics having tableau like decision procedures similar to 
that for temporal logic. 

We consider discrete linear time temporal logic similar to that described in [3]. The 
formulae of this logic are composed of predicate symbols P it Q { , R ( , atoms (predicate 
symbols followed by a list of arguments which may contain variables, constants, and 
function symbols), the usual Boolean connectives A (conjunction), V (disjunction), -> 
(negation), and the temporal connectives □ (henceforth), O (eventually), U (until), 
and o (next time). Predicate symbols by themselves are considered as special cases 
of atoms. Of the temporal connectives, □ , O , and o are unary operators and U is 
binary. Our semantics is similar to that given in [3] except that U does not imply 
an eventuality; that is, U(p, q) is true if p is henceforth true and q never becomes 
true. The decision procedure could be adapted to either version of U. For a detailed 
description of the semantics of these formulae, see [3]. We give a brief description 
here. 

An interpretation consists of an infinite sequence of states, representing the world 
at successive instants of time. Each predicate symbol is given a Boolean value in 
each state (at each instant of time); the variables and function symbols in atoms 
are also interpreted so that atoms may be given Boolean values in the usual way. 
The interpretations of variables may differ depending on whether the variable is an 
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eztralogical variable, whose value does not change with time, or a state variable, whose 
value may change with time. From these values, the interpretation of an arbitrary 
formula in a state is defined. A formula is valid if it is true in all states in all 
interpretations, and it is consistent if it is true in some state in some interpretation. 
The Boolean connectives are interpreted as usual, so that for example P A Q is true 
in a state if P is true in the state and Q is true in the state. A formula □ A is true 
at time t if A is true at time t and at all successive times; a formula O A is true at 
time t if A is true at time t or at some later time; a formula oA is true at time t if 
A is true at time t + 1, and U(P,Q) is true at time t if either □ P is true at time 
t or there exists time u, u > t such that Q is true at time u and P is true at all 
times v, t < v < u. For example, the formula O OP D □ O P is valid since if 
at some future time, P is henceforth true, then at all future times, P is eventually 
true. However, the formula O P 3 D P is satisfiable but not valid, since P may 
be eventually true without being henceforth true. We write TL |= A if A is a valid 
temporal logic formula. 

Suppose only a subset of the models are considered. For example, the atoms 
may actually be quantifier-free formulae involving integers, addition, and inequalities, 
and we are only interested in interpretations consistent with the theory of linear 
inequalities of integers. The formula □ (p = x + x) 3 □ (y = 2z) is true in all 
such interpretations, but not valid in the uninterpreted case. In general, we assume 
a theory T which is time-independent and is a subset of the interpretations of the 
predicate symbols and atoms at each instant of time. Thus the same interpretations 
of the predicate symbols are permitted at all time instants. We write T f= A to 
indicate that A is a Boolean combination of atoms which is valid in T, that is, A 
is true in all interpretations in T. We write TL(T) A to indicate that A is a 
temporal logic formula which is true in all interpretations allowed by T ; that is, the 
interpretation of the atoms at any time instant must be a member of T . We say 
informally that A is valid in T in this case. Satisfiability is defined as usual. 

The complexity of the satisfiability problem for such formulae without specialized 
theories is PSPACE complete [9]. In the presence of specialized theories, the com- 
plexity can be much greater; it will be at least as high as the complexity of the theory 
T being used. We will show that the complexity can never be much higher than this. 
In particular, the decision procedure is of PSPACE complexity relative to an oracle 
for deciding the specialized theory. The PSPACE upper bound can be realized by 
an algorithm which we shall call Algorithm A. However, another decision procedure 
(Algorithm B) for the combined theory has a more modular structure, requiring no 
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interaction between the tableau method and the specialized theory, but may have a 
worse asymptotic behavior. Algorithm B has the advantage, however, that it can be 
used for formulae containing variables whose values do not change with time (which 
we shall call extralogical variables below, to distinguish them from state variables 
whose values can change with time). 


2. Extralogical variables 

The variables in atoms can be of two types, state variables and extralogical variables . 
State variables have values that may change from one time instant to the next; ex- 
tralogical variables have the same values at all times. Thus the formula x = 1 D 
o(x 7^ 2) is valid if x is an extralogical variable but not if x is a state variable. We 
are interested in deciding the validity of formulae containing both kinds of variables, 
in the presence of specialized theories. For example, suppose A(x, y, z,u,v,xv) is a 
temporal formula in which x, y, and z are extralogical variables and u, v, and w are 
state variables. We give a method for constructing a formula T A (z,y, not 

containing temporal connectives, such that TL(T) \= VxVy VzA(x, y, z f ti,v,w) iff 
T \= Vx Vy VzT^x, y, z y u,v, tr). This method uses Algorithm B, and is therefore 
apparently of a higher complexity than Algorithm A in some cases. 
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3. The tableau method 


Without going into details, we give enough of the tableau method to describe the 
workings of Algorithms A and B. Given a temporal logic formula A, we decide if 
TL\= A by negating A and constructing a graph G = Graph{-'A) which represents 
the set of models of -> A. The nodes of G represent states and are labeled with formulae 
which must be true in the state. A node may be labeled with several formulae; in that 
case, all of the formulae labeling the node must be true in the state. One of the nodes 
is distinguished as the initial node of G and is labeled with -'A. The edges are labeled 
with conjunctions of literals, where a literal is an atom or the negation of an atom. 
The edges may also be labeled with eventualities, which represent temporal formulae 
which must eventually be satisfied in any model of ->A. Nodes with no outgoing edges 
may be deleted from G; similarly, edges are deleted if their terminal node is deleted, if 
the conjunction of literals labeling the edge is a contradiction, or if the edge is labeled 
with an eventuality which cannot be satisfied. An eventuality A on edge E can be 
satisfied iff there is a path in the graph from the terminal node of E to some node 
N having A as one of its labels. Let Iter(G) represent the graph that results from 
iterating all such deletions on G until no more deletions are possible. It turns out that 
A is valid (TL f= A) iff the initial node of Graph(->A) is deleted in Iter(Graph(-> A)). 
If a specialized theory T is specified, the graph or the iteration must be modified in 
a manner to be described below to determine whether TL(T) \= A. 

The tableau method works because of the following chain of reasoning: A is 
non- valid iff there is an interpretation in which ->A is true, iff there is an infinite 
path through Graph(->A) starting at the initial node, such that all eventualities are 
satisfied, iff the initial node is not deleted from Iter(Graph{-> A)). We now explain 
what is meant by “all eventualities are satisfied” on an infinite path. Suppose that 
the infinite path is {ci,c 2 ,..., e„,...} where the e { are edges and c,- is an edge from 
node N{ to node 7V,-+ j . (There may be more than one edge between two nodes in the 
graph.) Suppose A is a temporal formula. Then we say A is reachable from node 
N t if there exists j, j > i, such that A is one of the labels of node Nj. If A is an 
eventuality labeling edge e*, then we say A is satisfied at edge c,- if A is reachable 
from node Nf +l . Finally, all eventualities are satisfied on this infinite path if for all 
edges e { in the path and all eventualities A labeling e { , A is satisfied at edge e { . If 
there is a theory T specified, then TL{T) ^ A iff there is an infinite path as above 
in which for all i, the conjunction of literals labeling C{ is satisfiable in T. 
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4. Algorithm A 

The first algorithm is quite simple. Before iterating to obtain Itcr(G), we first 
delete from G all edges E labeled with a conjunction of literals which is unsatisfiable 
in T. Other than this, the algorithm is exactly as in the general tableau method. 
One can easily verify that this is correct by reasoning similar to that used above to 
justify the general tableau method; one disadvantage is that this method requires a 
closer interaction between the decision procedure for T and the tableau method than 
Algorithm B. However, Algorithm A has the advantage that edges can be deleted using 
the specialized theory as the graph is constructed, so it may be that whole sections of 
the graph need not be constructed at all. It is clear that this method can be performed 
in polynomial space relative to an oracle for deciding T , by nondeterministically 
guessing a long enough path through the graph. 


5. Algorithm B 

The second algorithm requires a much more complicated iteration method on 
the graph G. Given the graph Graph(->A), the method constructs a formula C 
representing conditions guaranteeing the validity of A. To be precise, C is a maximal 
formula V< □ C { where the C t are Boolean combination of literals of A, such that 
TL \= (C A). We mean “maximal” in the sense of being true the most often 
possible. Note that C does not depend on T. 

Theorem 1 . TL{T) \= A iffTL{T) \= C iff for tome i, T )= C,-. 


Proof : If for some i, T |== C u then TL(T) )= C (and conversely). However, TL(T) \= 
(C D A) and so TX(T) f= A by modus ponens. Conversely, suppose TL(T) |= A. 
Let D be a Boolean combination of atoms in A such that for all interpretations I 
of the atoms in A, I f= D iff 1 can be extended to an element of T by assigning 
Boolean values to other atoms. Thus, for all Boolean combinations Di of atoms of 
A, D D D\ iff T ^ Di, and D represents the set of interpretations of atoms in A 
consistent with T. Since D specifies all permissible assignments of Boolean values to 
atoms of A consistent with T, and TL(T) A, it follows that TL f= □£) "DA. 
Since C is maximal, TL^= DD D C. By properties of temporal logic, D D C t for 
some i (in propositional logic). Since T |= D, 7 )= C,- for some i. I 
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In method B, the formula C is found and then each C { is given to a decision 
procedure for 7. If some C< is valid in 7, then A is valid in the combined theory 
TL{ 7 ); otherwise, A is non- valid in this combined theory. Note that algorithm B is 
more modular than algorithm A since there is little interaction between the tableau 
method and the decision procedure for 7. The decision procedure is called only when 
the graph construction and iteration are completed. Also, algorithm B may require 
fewer calls to the decision procedure than algorithm A. For example, if the formula A 
is valid in pure temporal logic, then algorithm B will not use the decision procedure 
for 7 at all, but algorithm A may. We do not know if algorithm B can be done in 
polynomial space relative to an oracle for 7 . One might try to guess a condition 
C { such that 7 f= C,- and then verify that TL |= □ C,- D A; however, such a C { 
may itself be of size exponential in the size of A. Furthermore, extralogical variables 
require that C be computed as a whole, and a nondeterministic guess of Cf is not 
sufficient. 

If A has universally quantified extralogical variables, then these are included in C. 
Thus if A is Vac Vy V zA(x, y, z) where x, y, and z are extralogical variables, then C 
is VxVyVrC(x, y,r) where C(x, y, z) is obtained from A(x, y, z) the same way C is 
obtained from A above. 

Corollary 2. Tl\ 7) f= Vxi...Vx B A(xj...x n ) iff TUJ) (= Vx 1 ...Vx B C(x l ...x B ) 
where the x* are extralogical variablet. 

Proof : Similar to the theorem. | 

To apply this result, we need a way of reducing the decision procedure for formulae 
Vzi...Vz n C(zi...z„), which are quantified temporal logic formulae, to formulae in the 
theory 7. Note that TL(T)\= Vij... Vx„C(xi...x B ) iff 

Vxx...Vx n 3 17 J=Ci(x! ...*„) (1) 

where C,- are as before except with extralogical variables included. In order to use 
specialized decision procedures for the theory 7, it is necessary to make statement 
(1) into a statement in the theory 7. There are ways of doing this for theories having 
certain common properties. For example, suppose 7 has the property that for all 
closed formulae B, either T B or T B. (A formula is closed if it has no free 
variables.) Then statement (1) is true iff 

T H Vx 1 ...Vx n V<C;(x 1 ...x n ). (2) 
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where C* is C,- with all state variables universally quantified. Thus the difference 
between extralogical variables and state variables is one of scope; extralogical variables 
have the whole formula (2) as scope, whereas state variables have only a singel C) as 
scope. If T has uninterpreted function symbols, it will be necessary to rename these 
in each C* so that no two formulae C* have common uninterpreted function symbols. 

5.1. Example 

Suppose C is □ (x > 0) V □ (x < 1). If x is a state variable, this formula is valid 
in TL(T ) iff T |= Vy(y > 0)VVz(z < 1). Thus C would not be valid for ordinary 
arithmetic. If x is an extralogical variable, then C is valid iff T f= Vz(z > OVx < 1), 
hence C would be valid for ordinary arithmetic. 

5.2. Existential quantifiers 

There are problems with extending the method to existentially quantified extralogi- 
cal variables. In fact, we have not even been able to give an upper bound in the 
arithmetic hierarchy [11] for the decision problem for formulae of the form ^xA{x) 
where x is an extralogical variable and A is a temporal formula. For example, consider 
the formula 

□ Vy(z == y D o(z = y — 1)) D 0(z < 0) 

where y is an extralogical variable and z is a state variable. This formula is valid in the 
usual interpretation of arithmetic, but to show this requires an inductive argument. 
This formula becomes of the form 3 yA(y) when the universal quantifier is moved to 
the outside of the formula. 

5.3. Iterating to obtain C 

We now discuss the method of computing C, which involves a double iteration on 
the graph G. We compute a set of conditions delete(N) for nodes N of G and fail(A, 
N) for nodes N of G and eventualities A of edges of G. These conditions are defined 
in terms of one another by a set of equations. It will turn out that for delete(N) we 
want the minimal solution of these equations and for fail(A, N) we want the maximal 
solution, where FALSE is minimum and TRUE is maximum as usual. To compute 
the solution requires a double iteration. 

The condition delete(N) gives the condition under which node N will be deleted 
from the graph G. The condition fail(A, N) gives the condition under which the 


- 60 - 



B. A Decision Procedure 


5. Algorithm B 


eventuality A will not be reachable by a path from the node N. Intuitively, since 
nodes will not be deleted unless they are forced to be deleted, we find the minimal 
solution for delete(N); however, an eventuality is not reachable unless it is forced to 
be reachable, hence we want the maximal solution for fail(A, N). 

Given edge e of G, let fin(e) be the final node of e, event(e) be the set of eventualities 
labeling e, and prop(e) be the conjunction of literals labeling e. Thus prop(e) is the 
“propositional part” of e. Given a node N of G, let edges(N) be the set of edges whose 
initial node is N. We have the following equations for delete(N) and fail(A, N): 


delete(N) = A tte< f 9e ,(N)( □ ->prop(c)V delete(fin(e)) V Va ievent{e )fail(A, fin(e))) (3) 


fail(A, N) ~ A e «<t fl e.(N)(0 ~'prop{c)\/dcletc(fin(c))\/(Accvcnt{c)Afail(A,fin(e)))) (4) 


Let Delete be a vector of deletion conditions for the nodes of G, and let Fail be a 
vector of fail conditions for edges and eventualities of G. We compute Delete and Fail 
by iteration using the functionals 7p and 7p where 7p uses equation (3) to compute 
new values of Delete from old values of Delete and Fail, and 7f uses equation (4) to 
compute new values of Fail from old values of Delete and Fail. The iteration proceeds 
as follows: 

1. Set all elements of Delete to False. 

2. Set all elements of Fail to TVue. 

3. Repeat 4, 5, and 6 until both Delete and Fail are unchanged: 

4. Iterate Fail :— 7] r(Dcltlt, Fail) until no change. 

5. Iterate Delete := 7o(Dchtc, Fail) until no change. 

6. Set all elements of Fail to TVue. 

7. Return Delete of initial node as the condition C. 

Since Fail is set to True before each iteration, the maximal fixpoint of Fail will be 
computed. Since Delete is initially set to False, the minimal fixpoint of Delete will be 
computed. Note that extralogical variables of A must be universally quantified. 
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6. Implementation 

Method B has been implemented in Interlisp on the F2 computer and appears to be 
of reasonable complexity. For formulae of moderate size, the graph construction and 
iteration typically take about a minute of compute time or less; the graph construction 
usually takes longer than the iteration. The iteration was greatly sped up by finding 
the strongly connected components of G and iterating on them in order. Thus if Gl 
is a strongly connected component of G having no edges leading out of Gl, then the 
Fail and Delete conditions can be iterated to a fixpoint in Gl before iterating on the 
rest of G. This can be extended component by component to the whole graph and 
avoids much repeated computation. 

As examples of formulae run on the program, we give the following formulae R3, 
R4, and R5: 

R3: □ LUA(A,X) A □ LUA(A,Y) D □ LUA(A, X A Y) 

R4: □ LUA(A, B A C) A □ LUA(B,AA -* C) D □ LUA(A V B, FALSE) 

R5: LUA(A, B) A LUA[B, C) D LUA(A V B, C) 

Here LU(X, Y) is defined to be V(^P,U(P A^Q,Q)) and LUA(X, Y) is defined to 
be LU(A,A A B). The times to construct the graph and iterate and the number of 
nodes and edges in the graph are given in the following table. These formulae were 
all shown to be valid in pure temporal logic. 



Graph Construction 

Iteration 

Nodes 

Edges 


(Seconds) 

(Seconds) 



i?3 

67 

14 

13 

108 

R 4 

105 

22 

16 

166 

R 5 

13.8 

5 

8 

34 


7. Extensions 

We are studying an interval based temporal logic developed by Schwartz, Melliar- 
Smith, and Vogt [7] which also has a PSPACE complete decision problem in the 
absence of specialized theories. The above methods can be extended to this logic, and 
probably to any temporal or modal logic having a tableau like decision procedure. 
Since the decision procedures for specialized theories developed by Nelson, Oppen, and 
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others [4], [5], [8] have proven to be of considerable practical value in the verification 
of non-concurrent programs, it is possible that the methods presented here will also 
be of much value in the verification of concurrent programs using temporal logic. 
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1. Introduction 

We present a low level language which has been found convenient for obtaining a 
decision procedure for the interval logic of Schwartz, Melliar-Smith, and Vogt [7]. This 
language is a generalization of regular expressions, and is expressive enough so that there are 
easy translations of other temporal logics into the low level language. We give a non- 
elementary decision procedure for the language with a certain syntactic restriction. This pro- 
cedure requires that eventualities be treated in a nonstandard way; the reason seems to be 
that this language deals with concatenation of sequences as well as with the usual temporal 
connectives. The low level language is convenient for expressing synchronization constraints 
such as mutual exclusion and thus may have applications to automatic generation of con- 
current programs as described in Manna and Wolper[3]. It would also be interesting to investi- 
gate relationships of this language to the path expressions of [I]. 


1.1 Sets of computations 

The most natural way to view the language is that each expression represents a set 
of computation sequence constraints. A computation sequence constraint is a sequence of sets 
of permitted and forbidden events, specifying which events may or may not occur at various 
instants of time. For example, we specify that event x is permitted and events y and z are 
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forbidden at a given instant of time by the conjunction x /\ p f\ r, where x, y, and z are 
propositional variables. Thus a computation sequence constraint may be represented by a 
sequence of conjunctions of propositional variables and negations of propositional variables. A 
computation sequence over a given set X of events is a sequence of conjunctions C in which for 
each x in X, either x occurs in C or r occurs in C but not both. This represents the computa- 
tion in which event x occurs at time i if x is in the i tt conjunction, and event x does not occur 
at time i if r is in the * tt conjunction. Such a computation sequence satisfies’a constraint if per- 
mitted events occur when specified by the constraint and forbidden events do not occur when 
forbidden by the constraint. Sets of such constraints represent the disjunction of their ele- 
ments; that is, a computation sequence satisfies a set S of constraints if the computation 
sequence satisfies some element of S. The language has connectives for expressing concurrency, 
nondeterministic choice, iteration, concatenation, "hiding” of events, and "exceptional events” 
which are false unless specified to be true, or true unless specified to be false. Note that this 
language differs from dynamic logic[6] in that we consider computation sequences rather than 
just input-output relations of programs. 


2 . Syntax 


The language consists of well-formed expressions built up from propositional vari- 
ables and their negations, the following constants: 

T (True), F(False), T' } 

the following unary operations: 

infloop, Jr, Fz, Tx (for propositional variable x), 

the following binary connectives: 

A (conjunction), V (disjunction), as, concatenation, iter*, iter(*) 

Expressions in the language are denoted by a, p, 7, 6. The concatenation of a and 0 is written 
as ap. Also, infloop(a) is sometimes written a°°. Thus (3*)|y /\ (FzHr'z)! is an example of a 
formula. The quantifier 3* binds the variable x according to the usual scope rules; Fx and 
Tx do not bind x, although they can also be viewed as quantifiers. Thus in the formula 
(Fx)(x /\ y), both x and y are free variables; in the formula (3*)(z A v), y is free but x is 
not free. Therefore in the formula (3*)(v A (Fz)z), the same x is referred to by (3*) and by 
(Fx). Negation can only be applied to propositional variables; this restriction seems natural 
for the examples we have considered. 
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3. Semantics 

Our method of defining semantics is nonstandard, but seems most convenient for 
this language. With each formula a we associate a set #(a) of partial interpretations, where a 
partial interpretation is a finite or infinite sequence of conjunctions of propositional variables 
and negations of propositional variables. These are the same as the "computation sequence 
constraints” introduced in section 1.1. Thus a formula represents a set of constraints; later we 
introduce another semantics in which a formula represents the set of computations satisfying 
at least one of these constraints. This is an example of a partial interpretation: 

p. F A Q> F, T, R 

If I is a partial interpretation then |I| is the length of I (so the length of the above example is 
6). The letters I and J will be used for partial interpretations. A formula a is satisfiable if 
there exists I in ❖(a) such that no conjunction of I is contradictory. 

Intuitively, propositional variables x represent computation sequences consisting of 
the single event j, negations rof propositional variables represent computation sequences con- 
sisting of a single time instant in which x does not occur, T represents any computation 
sequence of length one (that is, consisting of one instant of time), F represents no computation 
sequence, T* represents any finite or infinite computation sequence, a V P represents the non- 
deterministic choice of a or p t a /\ p represents concurrent execution of a and p, with the 
longer computation extended past the shorter one, as represents concurrent execution for 
sequences of the same length, a;P represents serial composition of a and /?, ap represents serial 
composition of a and p in which the last state of a is concurrent with the first state of p , and 
(3*)<* represents the computation of a with the events x "hidden;” this permits "local events” 
not visible outside of ( j]r)a. Such local events can be used for message passing or synchroniza- 
tion within a subcomputation, for example. Also, ( Fx)a represents computations of a in which 
the event x is made false everywhere except where it is specified to be true, and ( Tx)a 
represents computations of a in which the event x is made true everywhere except where it is 
specified to be false. In addition, a 00 represents computation sequences in which a copy of a is 
begun at each successive time instant from now on, ifer(*)(a, p) represents computation 
sequences in which copies of a are begun at successive time instants until possibly some future 
time, at which p is begun; and ifer*(a, p) is the same except that p must eventually be started, 
and up to that time, copies of a are begun. Furthermore, these last three "iteration” operators 
require that all relevant a and p computations end at the same time. Possibly this simul- 
taniety requirement can be dropped. We could add a constant c to the language, representing 
a sequence of length zero, but this has not been necessary. 

We give an example to show how the language can express synchronization 


- 67 - 



C. A Low Level Language 


3. Semantics 


constraints. Let a and 0 be formulae of the language in which neither of the propositional 
variables x or y occur free. Consider the expression 

(Fz)(T*xa) A (WV) A (Fx)(Fi,)(r*rv). 

The first part of the formula (Fx)(T $ xa) specifies x as an event that occurs at the beginning of 
the a computation, but nowhere else until a ends. The second part of the formula specifies 
that y ban event that occurs at the beginning of the 0 computation, but nowhere else until 0 
ends. The third part (Fz)(Fy)(T 9 zT*y) specifies that the first time x becomes true is no later 
than the first time y becomes true. The whole formula therefore specifies that a begins no 
later than 0 begins. The formula 

(3*)(3v)I(^)(r # *a) A (Fv)(T'v0) A (ft)(f*xr*r*)]. 

is the same except that the events x and y used to communicate between a and 0 have been 
hidden, and are no longer part of the computation sequences. 

It is useful to define some operations on partial interpretations in order to give a 
formal semantics of the language. 

I f\ J is defined by 

1. |/ A J\ = maz(\I\, | y | ) and 
2- if *< |/|t «<m then |7 A A 

if*<|/|, »>|/| then |/ A i-/ij 
if * > | / 1 , i<\J\ then |7 A 

7/ (the concatenation of 7 and /) is defined by 

1. |7/| = |7|+ |/|-l where oo+ x= j+ oo=co, and 

2. 7/ l =7 l if »<|7|, 

7 4=7. A A if * = | / 1 , 
if • > 1 7 1 . 

Thus there is a one element overlap between 7 and /. 

7;/ is concatenation without overlap, and is defined by 

1. |7;/| = |7|+ | y I and 

2. (7;7) 1 =7 i if «<|7|, 

(7;y), =4- m if «>|7|- 

( 3 X )7 is 7 with x and r deleted from all conjunctions. 
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{ Fx)I is I with t added to all conjunctions not containing z or r. Thus z is made 
false except where a value for z is already specified. 

(Tz)I is I with z added to all conjunctions not containing z or r. Thus z is made 
true except where a value for z is already specified. 

The semantics of formulae are defined as follows: 

*( p ) = {p} for propositional variable p 

*(F) = {f} 

♦(F) = {T} 

♦(F) = {F} 

♦(r*)={r, T;T, T\T\T, •••, T 00 } 

♦(a V 

*(« A 0) = {I A J ■ /e*(a), /€♦(/>)} 

♦(o, a.0)={l A J ■ Jem. |/| = MI} 

= {/;/ : /€♦(<*), /€♦(/?)} 

*M = {IJ : /€♦(<«), /€♦(£)} 

A (F;a) A {T;T;a) A (T;T;T-,a) f\ 
iter*(a , 0)~y 4 > o [ar as (Tja) as (T 2 ;a) as a$ (T*;a) as (T* +1 ;£)] 

where T 2 is T\T and r 3 is T;T;T , et cetera. 

»7er ( ^ )(ar, £)=a°° V ifer*(a, £) 

¥(3za)= {3x7 : /€*(*)} 

V(Fxa) = {Fzl : /€*(a)} 

*(Tza)={TzI : I6*(a)} 


3.1 Restrictions on the Quantifiers 

Note that Fx and Tx are non-monotone. They must therefore be used with care. 
Let L be the language defined above. Let L x be l with the following restriction added: 

The quantifiers Tx and Fx may only be applied to a formula a which is composed 
of 

a) formulae in which x does not occur free 

b) x 

c) the connectives concatenation, f\ , as, 3v» Fy, Ty 
for yy^x. 

If these restrictions are relaxed, then one can construct formulae which can count arbitrarily 
high, and the tableau like decision procedure does not work correctly. In fact, satisfiability of 
formulae in L may even be undecidable. 
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4. A Decision Procedure 

The decision procedure for L x is complicated by the fact that eventualities do not 
behave in the usual way. The connective iter* is the only connective introducing an eventual- 
ity: iter*(ar, 0) implies that eventually 0 will be true (considering the interpretations as 
representing sequences of formulae which must be true at successive instants of time). Also, 
the formula itcr*(a, 0);i implies that eventually 0\i will be true. We express an eventuality 
06 as V*(r*;5). We would like to find some eventuality 6 such that 

iter*(a, 0);t= [»‘fer (*)(«, 0)nr] f\ 06 


or such that 


itcr*(a, 0);7S=[ifer(*)(cr, 0)'^\ as 06 

Now, letting 5 be fa will not work because we need to know that the 0 in 0;i ends the same 
time rter(*)(a f 0 ) ends. In fact, we have the following result: 

Proposition There does not exist a formula 6 depending on a, 0, 7 such that 
for all a, 0 , 7 , 


iter*(a, 0 ); 7 =[i(er (*)(<*, 0\n\ f\ 06 


or such that for all a, 0, 7 , 


itcr*(a, 0 ); 7 =[i<er(*)(a, 0 ); 7 ] as O 6 

Proof. Let a be PT°° \J FT\ let 0 be F, and let 7 be F°. Then P;P° is a model 
of iter(*)(a, 0)n but not a model of iter*(cr, 0 ); 7 . Therefore if such a 6 exists, 06 must be 
false in the interpretation P;F°°. However, F* is a model of iter*(a, 0} so 06 must be true in 
the interpretation F*. But if F”\=o6t}ien TjF 50 o 5 hence P;F X3 \=o6 t contradiction. 

Because of this result, we give a decision procedure in which eventualities are 
treated in a nonstandard way. The decision procedure is graph oriented and model theoretic in 
nature; it may be possible to convert it to a syntactic nondeterministic tableau-like decision 
procedure. We first give another definition of the semantics of a formula of l. 

Definition. A standard temporal interpretation is an infinite sequence of interpreta- 
tions of propositional variables in a given set X of propositional variables. This is the same as 
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the "computation sequence” introduced in section 1.1. 

Definition. If I is a partial interpretation c„ c 2 , c 3 , - • , let (/) be the set 

of standard temporal interpretations V such that c ( is true in the element of V for 

Definition . If a is a formula of l x then 'Ma)=ll{* 1 (/) : /€*(<*)}. This is the set of 
computation sequences satisfying at least one of the constraints in V(a). 

Note that a is consistent iff For each formula a of L X} the decision pro- 
cedure constructs a graph G a and provides a semantics for G a such that 

An iteration procedure applied to G a decides if ^^0^=0. 


4.1 Graph construction 

We construct graphs G a such that G 9 represents the set of computation sequences 
specified by a. The nodes in the graphs represent states, and the edges represent transitions 
from one state to another. Successive states in a path through the graph represent successive 
instants of time in a computation sequence. If there is an edge from node m to node n, then 
this edge specifies the events (propositional variables) that must occur or not occur in state m, 
if the transition from m to n is taken. Also, this edge may have a set of eventualities, 
representing events that must occur at some future time, and a set of satisfied eventualities, 
representing events that occur at state m and satisfy some previous eventuality. It is necessary 
to associate eventualities with nodes (actually, node basis elements, see below) in the graph. 
The reason is that if two processes are running concurrently, and they both require that some 
eventuality be satisfied, it is sometimes necessary to know for which of the two processes the 
eventuality has been satisfied. It may not be enough just for an eventuality to be satisfied; it 
may have to be satisfied at a particular time in the computation. For this reason, eventualities 
also contain information about which node they are associated with. We let the nodes in a 
graph be sets of elements of the node basis, which is some set disjoint from the set of eventual- 
ities. The reason for using subsets of the node basis as nodes of the graph, is that we can 
represent states si and s2 occurring concurrently by a node which is the union of the node 
basis elements of si and s2. However, if si and s2 have common elements, the semantics can 
become confused; eventualities are associated with node basis elements, and it may be neces- 
sary to distinguish which node the eventuality came from. Therefore we require that the node 
basis elements of si and s2 be disjoint whenever such a union is done. If this disjointness pro- 
perty does not already hold, then we define a disjoining operation and a separation property on 
graphs, which insure that the disjointness property does hold. 
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We define the graphs as follows. Each node is a subset of the node basis NB. One 
node of the graph is distinguished as the initial node of G, written init(G). The edges e have, 
in addition to an initial node init(e) and a final node fin(e), a set ev(e) of eventualities and a set 
se(e) of satisfied eventualities. Each eventuality and satisfied eventuality is an ordered pair 
< v, n> where n is a subset of NB and v is an eventuality primitive. The eventuality primi- 
tives are elements of the set EP; we assume the set EP is specified in some way and is disjoint 
from NB. An edge e also has a propositional part prop(e), which is a conjunction of proposi- 
tional variables and their negations. Associated with each edge e of a graph G there is a node 
relation R t between subsets of NB and subsets of NB. We consider such a relation R to be the 
set { <x, y> : R(x, y)}. Thus 0 is the totally undefined relation. Also, for nodes m and n, let 
g m , „ be the relation {<m, n>} between m and n. We write the edge e as the tuple <init(e), 

fin(e), prop(e), ev(e), se(e), R,> . Let N(G) be the nodes of graph G and E(G) be the edges. 

Each graph may have a distinguished END node. This indicates the end of the partial 
interpretation. 

The graphs G 0 for various a are defined as follows. We give the easy cases first. 

If a is T, F, x, or r for propositional variable x, then G a is defined by 7V(GJ = {m, 
END}, init(<7 a ) = m, and £(C7 a ) = {<m, END, a, 0, 0, 0>}. Here m is some 
singleton subset of NB. Note that f 4 is totally undefined for the edge e of G. 

If or is T* then G a is defined by N(G a ) = {m, END}, init(G a ) = m, and F(GJ = 

{<m, m, T, 0, 0, g m m >, <m, END, T, 0, 0, emp<y>}, where m is some 

singleton subset of NB. 

Grj,* is G a with x and r deleted from the propositional parts of all edges (and node 
relations unchanged). 

G r , a is G a with t added to the propositional parts of all edges not containing x or r 
in the propositional part (and node relations unchanged). 

G T2a is G a with x added to the propositional parts of all edges not containing x or r 
in the propositional part (and node relations unchanged). 


Definition. Two graphs G a and G fi are separated if they have no common node basis 
elements or eventuality primitives. That is, if and m 2 eNodes(G fi ) then 

and if <t> 1( is an eventuality or satisfied eventuality of G a , and <v 2 , m 2 > is an eventual- 
ity or satisfied eventuality of G fi , then v^v 2 . 
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In the following definitions of graphs, assume that G a and <7, are separated. If they 
are not, then assume node basis elements and eventuality primitives have been systematically 
renamed so that G a and G fi are separated. Note that this also requires modifying the node rela- 
tions in a corresponding way. 

G « y t is defined as follows: Let m be a new node not in N((7») or N(<7,). That is, 
m is {b} for some node basis element b which does not appear in G a or G fi . Then 
V ,H*(C tt )UN(G,)U{m}, 
y j)=m, and 

E(G a Y ,)=E(G.)UE(G,)U 

{< m, n, C t ev, ft, g m> .> : 

<•»><(<?,), n, C, tv, 8t, R^eEiG^U 
{<m, n, C, ev, ft, ff m t m > : 

< init(Gf), n, C, tv, ft, R 2 >eE(G fi )}. 

G aJ is defined as follows: Ar(G a; ,)=A(C tt )u/V(G,), E( (?..,)= £(CJu£( <7, ) except that 
edges of G a of the form <m, END , C, tv, ft, R 4 > are replaced by 

<m, init(Gf), C, tv, ft, g m> imit{C j>- Also, 

G ofi is defined as follows: N(G 0 ^N(G 0 )uN(G fi ) y inii(G 0f )=inU(G 0 ), and 

E(Gofi)=E(G a )uE(G fi ) except that an edge <m , END, C, ev, ft, /?,> of G 0 is replaced by 
{< m, n, C A D, tt/ , ft, g m , u > : <inil(G fi ), n, D, ti/ , ttf , R' >£E(G,)}. 

For the remaining cases we need to define operations on edges. Suppose 

* i * * * c* are edges, and either /»n{ e< )=EM> for all i or fin(ti)^END for all i. Then 

* * * , e*) is the edge e such that 


ini/ ( e ) =U , init ( e, ) , 

/m(e)=U,/m(cj) unless fin(ti)—END for all i, 
in which case /m(e)=EM>; 
prop (t)=/\i prop fa ), 
cv(c)=U,cv(c,), 

«(e)=u,«(e,), and 

Also, and(e lt , t k ) is defined similarly except that the condition on /info) and END need 

not hold, and if /m(c ( )=EAD for all i then fin(and(e x , *•*, e k ))=END t but otherwise 
fin(and(t lt •, e*))=U{/m(e,) : fxn(ti)^END }. 
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G a A is defined as follows: 

N(G a A ,)={mUn : neN(G,)}vN(G 0 )\jN(G fi ) t 

E(G a A ^) == { onrf ( r i» * 2 ) : c i€E(G*), e 2 €£(Gj)}, and init(G a A ;)=tntf(G a )Ut*nif(G;). 

G a m4 is defined as follows: iV((? tfl) ^{mUn : w€N(GJ, n6JV(G,)}, 

E{G a «j)={c*(ci, * 2 ) : fi €E(G a ), t 2 £E(G p ), a^(e 1> e 2 ) it defined }, and 

init ( G a „ fi)=init ( G ft )Um*< ( G fi ). 

The remaining connectives are iter*, iter(*), and infloop. For these iteration primi- 
tives, it is necessary to require that some of the graphs be node disjoint. We say that a graph 
G is node disjoint if for any two distinct nodes m and n of G, mp|n=0. We define the opera- 
tion of disjoining a graph G x to produce an "equivalent” graph G 2 which is node disjoint. This 
consists essentially in renaming node basis elements in each node so that distinct nodes will be 
disjoint, and also adjusting eventualities, satisfied eventualities, and node relations in an 
appropriate way. Formally, for each node n we find a 1-1 function $ m whose domain is n and 
such that for distinct nodes m and n of G„ and 0,(n) are disjoint. Note that we are 

extending 0 m and 0. to sets of elements in the node basis, in the usual way. Then G 2 is defined 
by Nodes(G 2 ) = (Mr) : neAforfM(Gi)}, Init(G 2 ) = and Edges(G 2 ) = 

{<0 m (m), 0,(n), G, td , td , R* > : <m, n, C, tv, 9t, R >G£'^cs(G 1 )}, where ev’ = 
{<v, 0m( f )> : <v, r>Gcv}, se’ == {<v, 0 m (r)> : <v, r>6*e}, and R* = 

{<0 m (j), 6 u (y)> : < z , y >€/?}. It is this operation of disjoining graphs that leads to the 
nonelementary performance of the satisfiability algorithm. It is not really necessary to do this 
operation in all cases, but we specify it for all cases for simplicity. When defining graphs for 
ilcr*(a, 0), t<er(*)(a f £), and inf loop {a), we assume that a and 0 are separated as before, and 
also that a is node disjoint. 

Guer( *x*. fi) is defined using G a y fi in the following way: 

N(GiUt{»yi*, j)H{US : S is a subset of N(G a Y fi ) not containing END and contain- 
ing at most one node in AJG^JutFA®}, fi) )={init[G a Y ,)}, and 

E(G it „ {$ ^ a ff) )=*ElvE2 where El and E2 are as follows: 

E\={ as (ej, e k , <init(G a y p ), init(G a y fi ), T, 0, 0, 

y y ,)>) : this is defined and e,€E(G 0 y ,) all i, no e, in E(G P ) } 

*m/(cj)=im<(G a Y p ) } and imt(e,) are all distinct} 

E2—{ at (ej, •■•,**): at (e lf e t ) is defined and c,€E(G a Y ,) with 

exactly one c, in E(G fi ) and are all distinct} 

The edges El represent repeated iterations of a and the edges E2 represent the time after p has 
begun. 
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G a<r»(o, fi) is the same as G a „ { , K<I> p) except that there is a new eventuality 
<v, init ( G a y ,)> added to edges e such that init(G a y ,)€ini/(e) and Y ,)e/» n (e)* Also, 

edges e in G u „ t{<ti fi) have satisfied eventuality <v, init(G a v ,)> added if init(G a Y 0 )€intt(e) 
but not Y fi)€f* n ( c )‘ Intuitively, v represents the eventuality that 0 must eventually be 

true. 


Finally, G iH/t „, i& ) is like G iUr ^ 9 except that the edges in E2 and nodes having 
subsets in N(G,) are omitted. 


4.2 Semantics of graphs 

With a graph G as above we associate a semantics ❖JG) representing the set of 
standard interpretations satisfying G. A standard interpretation I is in ^(G) if there is an 
infinite sequence c 1( e 2 , • • • of edges of G such that 

a) init(ci) = init(G) 

b) for all i > 1 

c) /, (=prop(fJ for all i, where /, is the 
interpretation I specifies at the »“ instant of time 

d) all eventualities in the path e lf e 2 , * * • are satisfied. 

The satisfaction of eventualities is defined in a nonstandard way. We extend the node rela- 
tions R to eventuality relations by R(<v, m>, <w, n>) iff v = w and R(m, n). An eventu- 
ality ev in cvfa) is satisfied in the path if there exist ev if ev i+ ,, * • • , rr l+Jk such that ev = ev t 

and cr l+4 e<rc(c,>i) and for all j, 0 <y<i, /? r+ (et; 1+ Thus the eventualities may be 
transformed at each edge in the path, and they are satisfied if at some future time, some such 
transformed eventuality is satisfied. We claim that ❖ 1 (a)=^ 1 (G <> ) for all formulae a in Lj. Thus 
the semantics of graphs agree with those of the formulae of the low level language. 


4.3 Example 

We now give an example of a formula and the graph constructed from it. First we 
give an intuitive explanation of the construction for iter*(o, 0). Consider the graph G = 
G* \( A for a V 0. We construct the graph for G iUrt{0i from G by permitting the nodes of G 
to have "markers.” These markers can travel along edges of G. The current state of the 
graph is determined by which nodes have markers on them. At the start, only the initial node 
of G has a marker. Thereafter, markers travel along edges in one of two ways: a) The 
marker from the initial node travels to some node in G a along an edge, and also reproduces a 


- 75 - 



C. A Low Level Language 


4. A Decision Procedure 


copy of itself which remains on the initial node. All other markers travel along some edge; if 
there is an edge e and a marker on node init(e), this marker can travel to node fin(e). This 
marker is then removed from init(e). A marker can only travel to one other node in one time 
instant (except that the marker on the initial node also may reproduce a copy of itself on the 
initial node). If a marker is on a node with no outgoing edges, this marker is deleted; this will 
happen for markers on the END node, for example, b) The marker from the initial node trav- 
els to some node in G t , but does not reproduce a copy of itself on the initial node. Other 
markers may travel along edges as in a). 

In both cases, if a node ends up with more than one marker on it, all but one of 
these markers are removed. The collection of marked nodes may be considered as the "current 
node” of the graph G. A transition as in a) corresponds to the part of the iteration in which a 
is being repeated; a transition as in b) corresponds to the beginning of the p part of the itera- 
tion. Let us call these transitions a-transitions and b-transitions, respectively. These transi- 
tions are the edges of G. The propositional part of such a transition is the conjunction of the 
propositional parts of the edges of G„ v , traversed during the transition. The a-transitions 
have a new eventuality associated with them; the b-transitions have this eventuality satisfied. 
This corresponds to the fact that there must eventually be a b-transition. In the formal 
definition of G, the nodes of G are unions of the node basis elements in the marked nodes of 
G„ Y with the END node ignored in such unions. However, if only END is marked, this 
corresponds to the END node of G. The graph G it „^ a is similar except that there is no 
eventuality for a b-transition to occur. The graph G aW is similar except that there are no b- 
transitions and no eventuality for a b-transition to occur. 

Consider the formula iter*(P, Q). Since all the partial interpretations P must end 
at the same time as Q does, this formula is equivalent to Q. To get a nontrivial use of iter*, 
we need to use the T‘ constant. Consider the formula iter*(pr', Q). This is equivalent to 
\JiP';Q. To represent graphs pictorially, we draw a node as a circle or oval containing its node 
basis elements. The edges are drawn as arrows from their initial node to their final node. The 
propositional parts of edges are drawn next to the edges. The eventualities, satisfied eventuali- 
ties, and eventuality transforms are not given in the picture but are specified separately for 
simplicity. The initial node is indicated by a minus sign next to the node; the end node, if 
any, is indicated by END. This graph, with nodes deleted that are not reachable from the ini- 
tial node, is as follows. Note that it is also permissible to delete edges whose propositional part 
is contradictory. 
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END 


Graph for the formula PT' V Q 

Now, whenever there is an a-transition, P will be true and markers will remain on nodes {r} 
and {n} and possibly END; when there is a b-transition, Q will be true. Thus this graph 
specifies 


4.4 Iteration method 

An iteration method is applied to the graph <7* to determine if a is satisfiable. The 
idea is to repeatedly delete edges having eventualities that cannot be satisfied by any path in 
the graph, and to delete nodes having no outgoing edges (except for the END node). Also, 
edges whose propositional part is contradictory may be deleted. The formula a is satisfiable iff 
the initial node of G a remains after this iteration is completed. When searching for paths satis- 
fying eventualities, the eventuality transforms have to be considered as indicated above. The 
techniques described in [5] for obtaining decision procedures for combinations of temporal logic 
and other specialized theories, can also be applied. Finally, as in [5], it is possible to permit an 
arbitrary combination of state variables, whose values change with time, and free variables, 
whose values do not. For a discussion of these concepts see [5]. 


4.5 Complexity 

This decision procedure is of nonelementary complexity since |/V((7 l7 , f#(a( ^)| is 
exponential in |N(C a )|, and the node disjoining procedure can then lead to an exponential 
number of node basis elements in the graph. There may be an arbitrarily deep nesting of the 
iter* and iter(*) and infioop connectives, leading to nonelementary behavior. The following 
example may give some syntactic insight as to why the closure of the formulae in L x can be so 
large: Let A x be the formula 

infloop( 3x(*Jer( *)(«!, ft) as • • • as iter(*){a m , ft))) 
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The closure of this formula will include formulae of the form 7l as 72 as • • • as 7t where 7| is 
of the form a * * * * ** ft) and is in the closure of ifer(*)(a, t ft). If the closure of 

*)(<»,■, ft) has at least two formulae for all i, then there can be 2* formulae 7( and the clo- 
sure of A x can contain formulae 2* times as large as formulae in the closure of tfer(*)(a, v ft). 
Similarly, let A 2 be 


infloop((iter(*)(a Xt ft) as • • - as i7cr(#)(a. f ft)); 7 ) 

The closure of A 2 includes formulae of a similar form except that 7( is of the form (ft as 
as ft ); 7 . Finally, let A z be the formula 

inf loop ft , ft) as ••• o#«er(*)(a -( ft))) 

The closure of A 3 is similar except that 7| is of the form 7 A (ft 09 * • • ft). Intuitively, 

the closure of a formula A represents the set of formulae B which may be true at future times 
if A is true now. 


5. Interval logic 

We now give some examples to illustrate how the interval logic of Schwartz, 
Melliar-Smith, and Vogt[7] may easily be translated into the low level language. In fact, this 
translation was the original motivation for developing the low level language, since it seemed 
much simpler to program a decision procedure for the low level language than for interval 
logic. 


Interval logic was developed to permit convenient reasoning about intervals of time. 
An interval formula is a formula of interval logic and has a Boolean truth value in any 
interpretation. An interval term is an expression of interval logic whose value is a time inter- 
val. Without going into details, let Expr(a)(z) be the translation of interval formula a in con- 
text z, and let Int(a)(x y z d) be the translation of interval term a in context z, where the 
interval begins at x and ends at y. Here d is the direction in which you are looking for the 
interval, and may be F (forward) or B (backward). For our purposes, x, y, and z are proposi- 
tional variables which intuitively denote the next state in which they are true. We give a few 
translations; for an explanation of the notation see [7]. 

Exp r ([/la)(z)=3i 3y/nl(/)(x, y, z, F) f\ Fz(T' xEzpr(a)(y)) 

/n<(o-»ft(z, y t z , rf)= 3u;/n((a)(u>, z, z, rf) A 
JvFz{T 9 zInt(P)(v, y , z, F)) 
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Expr(p )(z)=if z=oo then pT 00 else p iter*(T', z ) 

To decide if an interval formula a is valid, we can convert -«a to a normal form 0 and test if 
£jpr(0)(oc) is satisfiable. 


6. A PSPACE sublanguage 

We originally intended to use the language L x to show that interval logic has a 
PSPACE decision procedure. For this, it is necessary to find a sublanguage of which can be 
decided in PSPACE and into which all interval logic expressions may be translated. We have 
been unable to do this. It seems that preventing a from containing any iteration connectives in 
expressions of the form iter*(a , 0), tfer(*)(a, 0 ), and infloop{a) would help, but this prevents 
certain interval logic formulae from being expressed. However, this does not mean that inter- 
val logic is not in PSPACE. 


7. Other temporal logics 

It would be interesting to compare the expressive power of L x with other temporal 
and process logics. One can easily encode the usual discrete linear time temporal logic into L x 
by expressing Until(x, y) as iter(*)(x, y) (with no eventuality implied), "next time x” as T;x, 
"henceforth x” as infloop(x), "eventually x" as iter*(r', x), propositional variables p as pT', 
-«p as -» pT\ and Boolean connectives [\ and V as themselves. This requires pushing 

negations to the bottom, but it is possible to do this; the only slightly hard case is negating 
"until”. 


The semicolon operator seems similar to the "chop" operator of dynamic logic [2]; 
the interval logic of Moszkowski[4] has a slightly similar semicolon operator but is undecidable. 
We now consider a branching time version of the low level language. 


7.1 Branching time syntax 

Expressions may be path expressions or state expressions. Intuitively, the models 
are trees, and path expressions refer to paths in the tree while state expressions refer to the 
whole tree. All the previous connectives are still used; they map path expressions to path 
expressions. Thus if a and 0 are path expressions, so are a;0 t q0 et cetera. In addition, if a is a 
path expression, then A a and Ea are state expressions. Also, if a and 0 are state expressions, 
then a f\ 0 and a Y ^ are state expressions. If a is a state expression, then 3 IQt ) Fxa, and 
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Txa are state expressions. Finally, if x is a propositional variable or its negation, T, or F, then 
x may be regarded as a state expression. Thus we are overloading certain operators; for 
example, Jx maps path expressions to path expressions and state expressions to state expres- 
sions. Finally, any state expression can be viewed as a path expression. 


7.2 Branching time semantics 

The semantics is defined analogously to that for the linear time logic. A literal is a 
propositional variable or its negation. A partial path interpretation is a triple (V, L, P) where 
V is a tree, L is a labeling function mapping nodes of V to conjunctions of literals, and P is a 
finite or infinite path of V starting at the root and not crossing any node more than once. A 
partial state interpretation is a pair (V, L) with V and L as above. With each path expression 
a we associate a set ^(a) of partial path interpretations, and with each state expression a we 
associate a set ♦(a) of partial state interpretations. The expression a is consistent if some 
member of ♦(<*) is a tree having no contradictory conjunctions. Let us call a path P of V as 
above a prefix path of V. By convention, if L is a labeling function of a tree V, and N is a node 
not in V, then L(N) = T. The semantics is defined as follows. 

(F, L, P)e'J'(x) for x a literal, T, or F if L(N) = x where N is the root node of V 
and L(M) = T (True) for and P = {N}. 

( V , L, PJG^P') if L(N) = T for all N and P is any prefix path of V. 

(F, L , . P)6^(a f\ 0) if there exists Ll, L2, and Pi such that PI is a prefix of P 
and L=L 1 A L 2 and either (V, Ll, Pl)e^(a) and (F, L2, P)e^(P) or 
(F, Ll, P)e*(a) and (F, L2, Pl)e*(Pl 

(V, L, PjG'l'ta as 0) if there exist Ll, L2 such that L=Ll /\ L2 and 
(V, Ll, P)e*(a) and (F, L2, P)e*{P). 

(V, L, P)e^(a V 0)if(F, L, P)e*(a) or (F, L, p)eW). 

(F, L, P)eV(a;0) if there exist Ll, L2, Pi, P2 such that Z,==L1 A £2, P = Pi ; 

P2, (F, Ll, Pi)e^(a), and V has a subtree Vl such that (Fi, L2, P2)e*(p). 

(F, L , PJe'J'M) if there exist Ll, L2, Pi, P2 such that L==Li A £2, P = Pi P2 

(that is, Pi and P2 have a node in common), (V, Ll, PlJe'I'fa), and V has a sub- 

tree Vl such that (Fl, L2, P2)e^(^). 
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infloop(a)=a f\ T; a f\ T 2 ;a f\ • • • f\ T k ,a /\ 
i/er*(ar, A T,a /\ /\ r>;a f\ T'+'rf] 

*7cr(*)(a, 0)=infloop(a) V Her*(ot, fl) 

(V, L, P)e*(3ra) if there is a function Ll such that ( V, Ll, P)ev(a) and L is 
identical to Ll except that L deletes x and r from nodes in P. 

( V , L, P)e*(Fxa) if there is a function Ll such that ( V, Ll, P)G^(a) and L is 
identical to Ll except that L adds r to nodes of P not containing x or r. 

(V, L, P)e^(rxa) if there is a function Ll such that (V, Ll, P)€*(a) and L is 
identical to Ll except that L adds x to nodes of P not containing x or r. 

(V, L , {/V})€'J'(a) if ot is a state expression, (V, L)e*(a), and N is the root of V. 
(This converts state expressions to path expressions.) 

If a is a literal, T, F, or r # , regarded as a state expression, then *(a) is as above 
except that the path part of interpretations is omitted. 

(V, L)e^(^xa) for state expression a if there is a function Ll such that 
( V r , L l )€¥(<*) and L is identical to Ll except that L deletes x and r from all nodes. 

The semantics of Fxa and Txa for state expressions a are defined similarly, modify- 
ing all conjunctions, not just those on some path. 

( v , if for all infinite prefix paths P of V, P has a prefix Pi such that 

(V, L, Pl)eV(a). 

(V, LjG'J/fEa) if for some prefix path P of V, (K, L, P)G'I'(a). 

We do not have any information about the decidability of this branching time version of the 
low level language, except that the satisfiability problem is at least as hard as that of L x since 
L x is a subset of the language. Also, it appears that L l is of nonelementary complexity. 


7.3 Regular expressions 

We could add the star operator a* to the linear and branching time logics to get a 
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formalism including regular expressions as a syntactic subset. However, this was not necessary 
for our purposes. 


8. Executable specifications 

In the style of Manna and Wolper [3] and the "path expressions” of Campbell and 
Habermann[l], we can use the linear time low level language to construct programs having a 
specified behavior. Given a low level formula a, we construct the graph G a which represents 
the set of models of a; this graph can then be regarded as a program. By adding suitable fair- 
ness constraints to certain nodes of G ai we obtain a program which satisfies all eventualities of 
a and thus behaves as specified by o. In this way we might consider automatically construct- 
ing concurrent programs from their specifications. 
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